radar.cysentrix

Security Radar

Page 1 of 10 · 1025 stories from the last 30 days across 19 trusted sources.

Actively exploited 23 actively exploited CVEs in current coverage
View all CVEs →
  • CVE-2025-5777

    Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

    1storyEPSS 100%
  • CVE-2026-10520

    An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

    1storyEPSS 99%
  • CVE-2026-33017

    Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

    1storyEPSS 98%
  • CVE-2026-35273

    Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

    2storiesEPSS 92%
  • CVE-2026-20253

    In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

    6storiesEPSS 88%
  • CVE-2026-48907

    A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.

    1storyEPSS 80%
BleepingComputer

Software Is Now Written at the Speed of Thought. Security Isn't.

Every evolution in software development has reduced the friction between an idea and a deployable application. AI may remove the final barrier, but it also removes many of the moments where security decisions have traditionally taken place. [...]

SANS Internet Storm Center

RCS and DNS: The NAPTR Record, (Mon, Jul 6th)

Over the last year, with recent updates to iOS and Android, RCS (Rich Communication Services) has become an increasingly used protocol [1]. RCS is supposed to eventually replace SMS, and in addition to richer formatting, provides added (but optional) security. RCS messages may...

BleepingComputer · Security Affairs · The Hacker News · SOCRadar · SecurityWeek6 stories

Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic

AIAdobe patched seven maximum-severity (CVSS 10.0) vulnerabilities in ColdFusion and Campaign Classic that could lead to remote code execution.

Open narrative →
vulnerability EPSS 1%
Show all coverage
SecurityWeek

North Korean Hackers Target Open Source Developers in Supply Chain Attacks

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer to developers. The post North Korean Hackers Target Open Source Developers in Supply Chain Attacks appeared first on SecurityWeek.

malwaresupply chain
Help Net Security

OpenSSH 10.4 arrives with security fixes and a post-quantum signature option

Operators who manage remote access to Unix and Linux systems keep a close watch on OpenSSH, the software that carries most SSH traffic across the internet. The project released version 10.4 with eight security fixes, a set of bug corrections, and a couple of new features. What...

Security Affairs

Hidden Web Prompts Trick AI Agents Into Sending Money

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows. Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human u...

SecurityWeek · Security Affairs · The Hacker News3 stories

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

AIBad Epoll (CVE-2026-46242) lets unprivileged users gain root on Linux and Android; a fix is out.

Open narrative →
vulnerability
Show all coverage
SecurityWeek

Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments

Researchers uncovered two campaigns embedding indirect prompt injections in malicious websites to exploit autonomous AI agents browsing the web. The post Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments appeared first on SecurityWeek.

Schneier on Security

France to Stop Certifying Non-Quantum-Safe Encryption

France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift awa...

Security Affairs · The Hacker News2 stories

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

AISecurity firm runZero disclosed seven unpatched vulnerabilities in FatFs, a filesystem library used in millions of IoT and embedded devices, potentially causing memory corruption, crashes, or data leaks.

Open narrative →
vulnerabilityzero day
Show all coverage
CyberScoop

Finding vulnerabilities was never the hard part

AI is surfacing vulnerabilities at a scale the industry has never seen, and most organizations have no way to determine which ones actually matter. The post Finding vulnerabilities was never the hard part appeared first on CyberScoop.

vulnerability