u/_cybersecurity_

The recent increase in Chrome vulnerabilities identified by Google is likely due to the enhanced capabilities provided by artificial intelligence.

Key Points:

• The number of vulnerabilities soared to 100 in the advisory published on May 5.
• Over 70 vulnerabilities in recent updates were found internally by Google.
• AI has reportedly accelerated vulnerability discovery processes across multiple tech giants.

Google has witnessed a remarkable leap in the number of Chrome vulnerabilities identified, peaking at 100 in early May. This surge has coincided with advancements in artificial intelligence that are reportedly transforming how security vulnerabilities are detected and mitigated. In comparison, previous advisories highlighted a much smaller number of vulnerabilities, illustrating a significant uptick in discoveries which suggest that AI is increasingly becoming a critical tool in cyber defense.

As Google has indicated, these recent advancements allow for quicker and more effective identification of potential risks and vulnerabilities. While specifics about the AI models for Chrome have not been disclosed, the tech giant's own tools such as CodeMender and Big Sleep, coupled with external tools like Claude Mythos, have likely played a role. Other organizations, including Mozilla and Microsoft, have reported similar successes, underscoring a larger trend in the industry towards integrating AI for security solutions. This shift denotes a potential new era in cybersecurity, where AI not only identifies vulnerabilities but also aids in automating their remediation.

What impact do you think AI will have on the future of cybersecurity and vulnerability management?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

The cybersecurity landscape is facing a crisis as the rapid discovery of vulnerabilities outpaces visibility, leaving organizations increasingly at risk.

Key Points:

• Over 48,000 vulnerabilities were published in 2025, with many remaining undiscovered.
• The time to exploitation has dropped to a negative number, meaning threats can proliferate before patches are available.
• Only 58 CVEs have been identified as critical threats to enterprise supply chains.
• AI is exacerbating the speed of vulnerability discovery while complicating visibility.

The ongoing supply chain security crisis is marked by an alarming rate of cybersecurity vulnerabilities. In 2025 alone, more than 48,000 Common Vulnerabilities and Exposures (CVEs) were published. However, a critical challenge highlighted by cybersecurity firm Black Kite is that the average time to exploit these vulnerabilities has effectively gone negative, indicating that many vulnerabilities are being targeted before any patch could be applied. This time frame presents an overwhelming challenge for organizations that rely on patch management as a primary defense mechanism. The reality is that security through patching is no longer viable; companies need to focus on the vulnerabilities that truly matter.

Among those thousands of vulnerabilities, only 58 have been identified as genuinely discoverable and exploitable threats to enterprise supply chains. This stark contrast emphasizes the need for companies to have better visibility into their exposure levels within their supply chains. Reasonably, how can organizations prioritize their defenses if they lack awareness of which CVEs pose significant risks? The concerns are further compounded by advancements in artificial intelligence which, while beneficial in some contexts, also brings a new level of complexity. AI is enabling faster identification of vulnerabilities, yet it is also creating new applications that could contain critical weaknesses. The challenges of visibility into software being utilized by organizations further highlight an uphill battle in mitigating these risks.

What strategies do you think companies should adopt to improve visibility into their supply chain vulnerabilities?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A single cached access key poses a significant threat to cloud environments, highlighting the vulnerabilities of identity-based security.

Key Points:

• Cached credentials create attack paths across hybrid environments.
• Identity carries permissions that can lead to critical assets.
• 90% of identity-based incidents are preventable with proper tools.

A cached access key from a user’s session can lead to critical vulnerabilities within a company's cloud infrastructure, as evidenced by a recent incident where a single key granted access to 98% of an entity's cloud resources. This realization underlines the importance of recognizing identity as a significant attack path rather than merely a perimeter issue. The increasing reliance on Active Directory, cloud identity providers, and AI agents means that every credential, once compromised, can become a gateway for attackers.

Unfortunately, many organizations still perceive identity management as a basic control measure limited to authentication and access policies, often overlooking the significant risks that lurk inside their environments. Once an attacker gains access through a foothold, they can traverse boundaries using compromised identities to reach critical assets. With identity weaknesses involved in 90% of incident response investigations by Palo Alto, it is evident that the threat landscape is evolving, yet security systems lag in adaptation to these emerging risks.

How can organizations better integrate identity management to prevent unauthorized access in hybrid environments?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Cybersecurity concerns rise as AI-driven intrusions and advanced persistent threats emerge alongside weaknesses in trusted software.

Key Points:

• 47 zero-days reported during Pwn2Own hacking contest.
• U.K. warns organizations about risks associated with agentic AI tools.
• New sophisticated malware campaigns utilizing social engineering tactics unveiled.

This week highlights the pressing cybersecurity challenges faced globally, centered on the intersections of advanced malware, social engineering, and the exploitation of widely trusted software. The recent Pwn2Own contest revealed 47 zero-day vulnerabilities across major platforms, underscoring the urgent need for organizations to patch their systems promptly. These flaws serve as gateways for attackers to breach networks and extract sensitive information.

Furthermore, the U.K. National Cyber Security Centre has issued a warning about the use of agentic AI tools, emphasizing their potential for generating unauthorized access incidents if not properly controlled. The evolving nature of AI allows attackers to craft more efficient and dynamic attacks, making traditional defenses inadequate. In light of recent incidents involving social engineering schemes across platforms like Telegram and the discovery of advanced malware, such as a new Brazilian banking trojan, organizations must remain vigilant and proactive in their cybersecurity practices.

This trend is alarming, as malware campaigns become increasingly sophisticated, leveraging trust and familiarity to mask their malicious intents. For instance, the emergence of LINUX rootkits and the exploitation of popular tools like Composer highlight how attackers are exploiting weaknesses within systems that users typically rely on, pushing the boundaries of conventional cybersecurity defenses.

How can organizations enhance their defenses against AI-driven attacks and emerging malware threats?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Microsoft has announced that two significant vulnerabilities in Defender are currently being exploited, raising serious security concerns for users.

Key Points:

• CVE-2026-41091 allows privilege escalation, rated 7.8 on the CVSS scale.
• CVE-2026-45498 is a denial-of-service flaw in Defender, rated 4.0 on the CVSS scale.
• Systems with disabled Microsoft Defender are not vulnerable to these exploits.
• Five researchers were credited with discovering the vulnerabilities.
• Both flaws have been added to CISA's Known Exploited Vulnerabilities catalog.

Microsoft recently disclosed that two vulnerabilities in its Defender software are currently being exploited, raising alarms among customers and security professionals. The first vulnerability, tracked as CVE-2026-41091, has a CVSS score of 7.8, indicating a high severity. This flaw allows attackers to elevate their privileges to system-level operations, which could potentially enable them to gain full control over affected devices. The second vulnerability, CVE-2026-45498, rated at 4.0, is a denial-of-service issue that could disrupt system functionality in Defender. The active exploitation of these flaws necessitates immediate attention from users to ensure they are protected.

Microsoft has advised users to update to the latest versions of the Defender platform, which automatically applies any necessary patches without user intervention. For those who do not have Defender enabled, they remain insulated from these specific vulnerabilities. Notably, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized both vulnerabilities by adding them to its Known Exploited Vulnerabilities catalog, mandating that federal agencies address these flaws by June 3, 2026. This recent announcement from Microsoft adds to a growing list of vulnerabilities under active exploitation, including a recently disclosed cross-site scripting flaw in Exchange Server.

What steps do you think organizations should take to enhance their cybersecurity in light of these vulnerabilities?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A nine-year-old vulnerability in the Linux kernel enables local users to execute commands with root privileges and expose sensitive files.

Key Points:

• Vulnerability CVE-2026-46333 allows local users to execute commands as root.
• The flaw affects major distributions including Debian, Fedora, and Ubuntu.
• Successful exploitation can disclose sensitive data like SSH host keys and credential files.
• A proof-of-concept exploit has been released following the vulnerability disclosure.
• Immediate updates to the kernel are recommended to mitigate the risk.

Researchers have identified an unnoticed flaw in the Linux kernel that has persisted for nine years. Known as CVE-2026-46333 with a CVSS score of 5.5, this vulnerability relates to improper privilege management. It allows unprivileged local users to execute commands as root on standard installations of several popular Linux distributions, including Debian, Fedora, and Ubuntu. This is primarily due to a weakness in the kernel’s __ptrace_may_access() function, introduced in November 2016, which transforms any local shell into a potential pathway to root access or sensitive credential information.

The consequences of exploiting this flaw are severe, as it could enable local attackers to access critical files such as /etc/shadow, which contains hashed user passwords, and SSH host keys located in /etc/ssh/*_key. Moreover, there are multiple attack vectors available, including exploits targeting chage, ssh-keysign, pkexec, and accounts-daemon. In light of this vulnerability, security experts recommend updating to the latest kernel version from your Linux distribution as a primary countermeasure. In cases where updates cannot be applied immediately, an interim solution suggests raising

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A severe vulnerability in Drupal Core may allow attackers to execute arbitrary code on PostgreSQL-based sites, necessitating urgent updates.

Key Points:

• Vulnerability tracked as CVE-2026-9082 has a CVSS score of 6.5.
• The flaw allows for remote code execution and information disclosure.
• Anonymous users can exploit the vulnerability on affected PostgreSQL sites.
• Several versions of Drupal have released patches, while older versions lack support.

Drupal has issued critical security updates to address a high-risk vulnerability within its Core, identified as CVE-2026-9082. This flaw specifically affects sites utilizing PostgreSQL and can lead to remote code execution, privilege escalation, or unauthorized data access if left unpatched. The importance of this issue is underscored by its CVSS score of 6.5, indicating a significant level of threat that Drupal site administrators must take seriously.

The vulnerability resides in the database abstraction API that is integral to Drupal Core. By exploiting this API, attackers can send specially crafted requests that can create arbitrary SQL injections. Such attacks can be launched by anonymous users, meaning that the risk is particularly pronounced for public-facing websites. To mitigate this critical threat, Drupal has released security updates for the current supported versions, but it is essential for site administrators to act swiftly to implement these updates and safeguard their sites against potential exploitation.

How quickly do you think organizations will adopt the necessary updates to protect against this vulnerability?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

GitHub has confirmed that its internal repositories were breached due to a compromised Nx Console VS Code extension linked to a recent developer hack.

Key Points:

• A malicious version of the Nx Console extension was available for 18 minutes before being removed.
• The attack, attributed to TeamPCP, led to the exfiltration of around 3,800 internal repositories.
• GitHub stated that no customer information stored outside of their internal repositories is believed to have been impacted.

GitHub confirmed on Wednesday that the breach of its internal repositories stemmed from a compromised developer device connected to a malicious Nx Console extension. The Nx team disclosed that their extension, nrwl.angular-console, was breached after an attack followed the recent TanStack supply chain compromise, impacting several high-profile companies including OpenAI and Grafana Labs. The cybercriminal group TeamPCP is reportedly involved, indicating a worrying trend of software supply chain attacks targeting trusted developer tools.

Despite the severity of the breach, GitHub has reassured users that there is currently no evidence of impact on customer data stored externally. However, some internal repositories contained excerpts from customer interactions, and the company has committed to alerting customers should further impacts be identified. Following the breach, GitHub has enacted measures including rotating sensitive access credentials and monitoring for subsequent activities.

As experts weigh in, it is clear that this incident exposes vulnerabilities in the ecosystem of developer tools and supply chain security. With the rapid adoption of auto-updating software extensions, the risk of compromised updates presents a significant challenge. Security researchers urge for a reconsideration of practices around how open-source tools are secured and the need for structural changes within the marketplace models to mitigate future risks.

What measures do you think should be taken to enhance software supply chain security in developer tools?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A cybercriminal group, TeamPCP, is executing large-scale software supply chain attacks, compromising thousands of open source code repositories and eroding trust in the software ecosystem.

Key Points:

• TeamPCP claims to have accessed approximately 4,000 GitHub repositories through a poisoned VSCode extension.
• The group has conducted 20 waves of attacks recently, embedding malware in over 500 distinct software tools.
• Their tactics exploit software developers, creating a self-perpetuating cycle of malware distribution.
• TeamPCP has transitioned to an automated approach, utilizing a self-spreading worm called Mini Shai-Hulud.
• Organizations are urged to adopt strict security practices to mitigate the dangers of software supply chain attacks.

The ongoing cybersecurity threat posed by TeamPCP underscores their new level of aggression in targeting open source software. What was once a rare event known as a software supply chain attack has become alarmingly frequent, with the group recently claiming they breached GitHub through a compromised tool. This incident has raised significant concerns for developers and organizations relying on open source solutions, showcasing an emerging trend of systemic vulnerabilities that can be exploited by malicious actors. More than just an isolated breach, the attacks leverage compromised tools to infiltrate a diverse array of companies, creating a ripple effect of risk throughout their networks.

The self-sustaining nature of TeamPCP’s approach is particularly alarming. By inserting malware into widely used open source projects, they effectively turn developers into unwitting accomplices, who then propagate malicious code to their various platforms. The emergence of automated tactics, such as the Mini Shai-Hulud worm, reinforces the complexity of defending against these threats. While GitHub's statement indicates that the breached repositories contained their own code, the broader implications for the security of open source software tarnish the trust in a system that many developers depend upon for efficiency and innovation all the while raising outside questions about how effectively compromises can be detected and mitigated.

What measures do you think developers should take to protect themselves from supply chain attacks in the current landscape?

Learn More: Wired

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Crypto drainers are increasingly sophisticated tools designed to steal assets from unsuspecting cryptocurrency users through social engineering tactics.

Key Points:

• Drainers use social engineering instead of malware for theft.
• The 'Drainer-as-a-Service' model allows affiliates to monetize phishing efforts.
• Understanding warning signs can help you detect potential scams.

In recent years, cryptocurrency theft operations have transformed into an organized underground service model, particularly through 'Drainer-as-a-Service' (DaaS) platforms. Unlike traditional malware that can infect devices, these drainers rely on tricking users into granting access to their wallets through fake crypto, NFT, or DeFi sites. Once victims mistakenly provide permission, funds can be swiftly transferred to the attacker's wallet. Research into platforms like Lucifer has revealed detailed operational frameworks that significantly resemble legitimate software services, indicating a high level of professionalism among cybercriminals.

The Lucifer DaaS model is particularly concerning because it allows affiliates to earn commission-based profits for driving traffic to scams, thus expanding the range of potential victims. Among their offerings are features like website cloning and automated deployment processes that significantly lower the technical barriers for would-be scammers. This evolution reflects a troubling trend in cybercrime where the sophistication and operational maturity of draining services continue to rise, making it increasingly challenging for individuals to safeguard their cryptocurrency assets.

What measures do you think can be implemented to better educate users about the dangers of crypto drainers?

Learn More: Bleeping Computer

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

The Flipper One combines modular design with Linux capabilities to enhance cybersecurity efforts.

Key Points:

• Flipper One supports various modules for customized functionality.
• It runs on a full Linux operating system for advanced features.
• Designed for cybersecurity professionals and enthusiasts.

Flipper has introduced the Flipper One, a modular cyberdeck aimed at both professionals and enthusiasts in the cybersecurity field. This innovative device allows users to expand its capabilities through interchangeable modules, tailoring the cyberdeck to individual needs and projects. The ability to switch out modules facilitates experimentation and enhances learning opportunities in cybersecurity techniques.

Moreover, the Flipper One runs a complete Linux operating system, which is familiar to many in the tech community and offers robust security features. The integration of Linux enables users to leverage a wide range of applications, tools, and resources available within the Linux ecosystem. This combination of modularity and an open-source operating system positions the Flipper One as a versatile toolkit for exploring various aspects of cybersecurity, from penetration testing to network monitoring.

How do you think modular designs will influence the future of cybersecurity tools?

Learn More: Cyber Security News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A critical vulnerability in Claude Code's network sandbox has been discovered, compromising user credentials and source code.

Key Points:

• Claude Code's network sandbox vulnerability affects multiple users and projects.
• Sensitive user credentials and source code may have been exposed to unauthorized access.
• Immediate action is required to assess the impact and secure affected systems.

Recent findings have uncovered a significant vulnerability within Claude Code's network sandbox, a popular platform used by developers for testing and deploying applications. This security flaw potentially allows unauthorized individuals to gain access to sensitive user credentials and project source code. The implications of this breach are severe, posing risks not only to individual users but also to organizations relying on the integrity of their code and customer data.

As the situation unfolds, it is vital for users of the network sandbox to take immediate precautions. This includes resetting passwords, auditing access logs for unusual activity, and monitoring their projects for any unauthorized modifications. Security experts are advising organizations to assess their exposure to ensure that any confidential information has not been compromised. This incident highlights the ongoing challenges in maintaining security within development environments, as even well-established platforms can fall prey to vulnerabilities.

What measures should developers take to protect their credentials when using cloud-based development platforms?

Learn More: Cyber Security News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Authorities have shut down First VPN, a service fueling various cybercriminal activities, marking a significant victory in the fight against cybercrime.

Key Points:

• Europol coordinated a crackdown on First VPN, a VPN favored by criminals for anonymity.
• The operation involved multiple law enforcement agencies across 16 countries.
• Thousands of user data from the VPN have been seized, providing leads on cybercriminals.
• The administrator of First VPN has been arrested, and several servers used by the service were taken offline.
• This operation highlights a focus on dismantling infrastructure that enables cybercrime, not just targeting individual criminals.

The shutting down of First VPN represents a significant milestone in global efforts against cybercrime. This service was commonly utilized by threat actors to obscure their activities during various illegal operations, including ransomware attacks and fraud schemes. The VPN’s ability to offer users anonymous payment methods and concealed infrastructure made it a popular choice among cybercriminals, which in turn led to its heavy involvement in notable cybercrime cases monitored by Europol in recent years.

On May 19 and 20, 2026, authorities from France, the Netherlands, and Ukraine collaborated to identify and detain the VPN’s administrator, accessing crucial user data that can now link individuals to previous cybercrime activities. The coordinated action not only took down the VPN's infrastructure but also allowed investigators to trace thousands of users connected to these illicit operations, paving the way for future investigations and potential prosecutions.

What do you think are the most effective strategies to combat the use of VPNs by cybercriminals?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Microsoft is working on a patch for the YellowKey zero-day vulnerability that allows physical access to bypass Bitlocker encryption, while advising enterprises to tighten device security.

Key Points:

• YellowKey allows attackers with physical access to bypass Bitlocker encryption.
• Microsoft has issued temporary mitigation tips while considering a patch.
• Organizations should enhance physical security controls around devices.
• Data on mobile devices is particularly vulnerable to exploitation.
• Detection of the attack may be difficult for users.

Microsoft recently disclosed a zero-day vulnerability, called YellowKey, which poses a significant risk by allowing attackers physical access to bypass Windows Bitlocker encryption. This vulnerability could enable unauthorized individuals to read and write files on a compromised device. As of now, there is a public proof of concept available, heightening the urgency for businesses to respond. In an advisory, Microsoft has identified steps enterprises can take to mitigate potential exposure to this threat, tracked as CVE-2026-45585.

Cybersecurity experts emphasize that since exploitation requires direct access to vulnerable devices, organizations must prioritize their physical security policies. This includes managing access to devices, ensuring secure boot configurations, and reviewing risk assessments concerning lost or stolen hardware. Furthermore, the rise of mobile devices in corporate environments complicates security, making it critical for companies to implement stricter controls and discourage users from leaving devices unattended to protect sensitive data from the YellowKey vulnerability.

What measures can organizations take to enhance physical device security in light of the YellowKey vulnerability?

Learn More: CSO Online

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A malicious campaign is silently subscribing Android users to costly premium text services without their consent, affecting users across multiple countries.

Key Points:

• Around 250 malicious apps identified as part of a global mobile billing fraud scheme.
• Malware targets specific mobile carriers in Thailand, Croatia, Romania, and Malaysia.
• Attackers utilize social engineering by impersonating popular applications to lure victims.

Recent findings from Zimperium's zLabs have revealed a significant mobile billing fraud campaign that has been active for almost ten months, involving around 250 malicious applications. These apps are designed specifically to exploit carrier billing through premium SMS messaging, potentially costing users significantly without their awareness. The campaign was first detected in March 2025, and it has continuously operated with the last recognition in January 2026.

A distinctive feature of this fraud operation is its targeted approach, which identifies mobile carriers across various countries such as Thailand, Croatia, Romania, and Malaysia. Upon installation, the malware checks the SIM card to ensure it is functioning on a targeted network, thus minimizing exposure. Attackers made use of popular brand names, including Facebook Messenger and TikTok, to trick users into downloading their harmful applications. Once installed on the correct networks, the malware would proceed to execute automated workflows that enabled it to enroll users in costly premium subscriptions, often without any user interaction or consent.

What measures do you think should be implemented to better protect Android users from such fraud schemes?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Bitdefender's research reveals that the retired MSHTA tool is being misused by cybercriminals for executing fileless malware attacks on Windows systems.

Key Points:

• MSHTA remains active on Windows despite Internet Explorer's retirement in 2022.
• Cybercriminals are using MSHTA as a Living-off-the-Land binary to conduct fileless attacks.
• Attackers utilize social engineering tactics, including fake ads and pirated downloads, to lure victims.
• Multiple types of malware are being delivered through MSHTA, targeting sensitive user data.
• Not all MSHTA usage is malicious; legitimate software updates can also trigger detections.

Cybercriminals have begun exploiting MSHTA, a longstanding Windows tool originally designed to support Internet Explorer, which has remained enabled by default on modern systems for backward compatibility. This tool is now being manipulated in fileless malware attacks where malicious scripts run directly in system memory, making them harder to detect. By leveraging MSHTA, attackers create the illusion of legitimate administrative tasks, thereby obfuscating their real objectives.

Bitdefender uncovered that threat actors deploy social engineering strategies, such as fake Google ads and bundled malware disguised as popular software. These tactics lead users to download harmful files unwittingly. The research outlines different malware strains delivered via MSHTA, with some targeting credentials and sensitive information, while others operate stealthily to gather user data over extended periods. Given the benign nature of some MSHTA activities, as the tool is also used by legitimate software, organizations are urged to take precautionary measures, including restricting its usage where possible.

What steps should individuals and organizations take to protect themselves against fileless malware attacks?

Learn More: Hack Read

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A serious command injection vulnerability in Honeywell's Control Network Module could allow attackers to execute arbitrary code via its web interface.

Key Points:

• CVE-2026-5433 has a critical CVSS score of 9.1, indicating severe risk.
• The vulnerability arises from inadequate input sanitation in the web interface.
• Exploitation may allow attackers to execute arbitrary commands without authentication.

The vulnerability labeled as CVE-2026-5433, revealed on May 21, 2026, affects the Honeywell Control Network Module (CNM), specifically within its web interface. The core issue stems from a command injection flaw where user-controlled input is not properly sanitized before being processed, thus enabling attackers to insert arbitrary operating system commands leveraging common command delimiters. This raises significant concerns given the potential for remote code execution (RCE) if malicious inputs are successfully crafted.

To exploit this vulnerability, attackers would require network access to the Honeywell CNM web interface, and with a CVSS score of 9.1, it is likely that no authentication is needed to carry out the attack. The specifics of the vulnerable versions have not been disclosed, which complicates the response. Until a patch becomes available, users and organizations utilizing this device should be vigilant and perhaps limit network access to this functionality as a precautionary measure.

What steps should organizations take to mitigate risks associated with unpatched vulnerabilities like CVE-2026-5433?

Learn More: The Hacker Wire

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A flawed handling of SAML NameID values in authentik allows attackers to exploit XML comment injection, posing significant security risks.

Key Points:

• CVE-2026-40165 is a high-severity vulnerability (CVSS 8.7) affecting authentik.
• Attackers can exploit improper parsing of SAML NameID values to gain unauthorized access.
• Affected versions include authentik 2025.12.4 and earlier, and 2026.2.0-rc1 through 2026.2.2.
• Exploitation requires an attacker to have a valid account and the ability to modify their NameID.

The vulnerability identified as CVE-2026-40165 arises from the way authentik handles SAML assertions, specifically how it processes the NameID value. This issue is particularly alarming as it allows an attacker to inject XML comments into their NameID, causing the authentik system to truncate the value. For example, by altering their NameID to include an XML comment, the attacker can manipulate the parsing logic. This results in a situation where an incomplete or falsified identifier is used for authentication, potentially allowing the attacker to access other user accounts incorrectly identified as theirs.

To successfully exploit this vulnerability, the authentik instance must be set with a SAML Source, and crucially, the attacker must already possess an account on that SAML Source. They must also be able to alter their NameID within the SAML assertion being submitted. The attack hinges on the presence of XML Signing to facilitate success. The implications are significant, as attackers can potentially bypass authentik's authentication checks, gaining access to unintended user accounts and sensitive data without authorization. Organizations using vulnerable versions are strongly advised to upgrade to versions 2025.12.5 or 2026.2.3 to safeguard against this exposure.

What steps can organizations take to mitigate risks from authentication vulnerabilities like this?

Learn More: The Hacker Wire

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Anthropic has patched a critical vulnerability in Claude Code that could have allowed attackers to bypass network sandbox protections and exfiltrate data.

Key Points:

• The vulnerability allowed bypassing outbound traffic restrictions, exposing sensitive data.
• It was discovered by researcher Aonan Guan, alongside another vulnerability tracked as CVE-2025-66479.
• The bypass involved a SOCKS5 hostname null-byte injection allowing malicious connections.
• Anthropic released the fix on November 26, 2025, prior to Guan's bug report submission.
• The vulnerability was not assigned a CVE identifier, leading to concerns about user awareness.

A significant security vulnerability in Claude Code, the AI framework from Anthropic, has raised concerns after being reported by cybersecurity researcher Aonan Guan. This vulnerability permitted an attacker to circumvent the network sandbox designed to block unauthorized outbound traffic. This sandbox is crucial as it aims to route all outgoing connections through a strict allowlist proxy, designed to monitor and control data transmission. The identified issues could lead to unauthorized data exfiltration, thereby threatening user security and privacy.

Specifically, one critical flaw, detailed by Guan, revolved around the handling of settings meant to restrict outbound access, a situation that could have critical implications for organizations relying on Claude Code in their production environments. The silence surrounding the resolution of this vulnerability has raised eyebrows, as the notification of the sandbox's lack of effectiveness did not reach users during the period the vulnerability existed. This lack of transparency highlights the importance of proper communication regarding vulnerabilities and fixes in crucial security systems.

What steps should companies take to better communicate vulnerabilities and patches to their users?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

GitHub is probing unauthorized access to its internal repositories following a breach by the group TeamPCP, who claims to have compromised approximately 3,800 repositories.

Key Points:

• Unauthorized access by TeamPCP resulted in a substantial breach involving internal GitHub repositories.
• While GitHub has not found evidence of customer data exposure, the company is closely monitoring its infrastructure.
• The breach was linked to a compromised Microsoft Visual Studio Code extension, leading to exfiltration of internal data.

On Tuesday, GitHub confirmed it is investigating a significant breach tied to the threat actor TeamPCP, who has listed GitHub's source code and internal documents for sale on a cybercrime forum. The company stated that the compromised repositories possibly number around 3,800, though they have found no indication that customer data stored externally has been impacted. GitHub has pledged to notify customers if any further developments arise. The breach's potential implications highlight concerns over supply chain security, especially for services integral to developers worldwide.

In a follow-up on the investigation, GitHub noted that the breach likely stemmed from a compromised employee device, which involved a malicious Visual Studio Code extension. This type of vulnerability poses a risk not only to GitHub but also potentially impacts the vast ecosystem of developers and organizations reliant on their platform. As a precaution, GitHub is taking measures to rotate critical credentials to mitigate risks stemming from this incident. The company's response illustrates the growing need for robust cyber defenses as threats evolve and target key development tools.

What steps can organizations take to better protect against risks associated with supply chain vulnerabilities?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub