en
Feedback
Vulnerability News

Vulnerability News

Open in Telegram

Every day new posts about vulnerabilities and cybersecurity news. Get the latest news about the cyberspace! Group: @VulnerabilityNewsGroup

Show more
5 051
Subscribers
+524 hours
+347 days
+12430 days
Attracting Subscribers
July '26
July '26
+70
in 0 channels
June '26
+156
in 0 channels
Get PRO
May '26
+204
in 0 channels
Get PRO
April '26
+187
in 0 channels
Get PRO
March '26
+254
in 0 channels
Get PRO
February '26
+116
in 0 channels
Get PRO
January '26
+166
in 0 channels
Get PRO
December '25
+134
in 0 channels
Get PRO
November '25
+139
in 0 channels
Get PRO
October '25
+8
in 0 channels
Get PRO
September '25
+12
in 0 channels
Get PRO
August '25
+13
in 0 channels
Get PRO
July '25
+11
in 0 channels
Get PRO
June '25
+12
in 0 channels
Get PRO
May '25
+18
in 1 channels
Get PRO
April '25
+14
in 0 channels
Get PRO
March '25
+21
in 0 channels
Get PRO
February '25
+17
in 0 channels
Get PRO
January '25
+15
in 1 channels
Get PRO
December '24
+262
in 1 channels
Get PRO
November '24
+206
in 1 channels
Get PRO
October '24
+166
in 0 channels
Get PRO
September '24
+146
in 0 channels
Get PRO
August '24
+137
in 0 channels
Get PRO
July '24
+96
in 1 channels
Get PRO
June '24
+91
in 0 channels
Get PRO
May '24
+95
in 0 channels
Get PRO
April '24
+104
in 0 channels
Get PRO
March '24
+149
in 0 channels
Get PRO
February '24
+279
in 0 channels
Get PRO
January '24
+395
in 0 channels
Get PRO
December '23
+327
in 0 channels
Get PRO
November '23
+38
in 0 channels
Get PRO
October '23
+32
in 0 channels
Get PRO
September '23
+47
in 0 channels
Get PRO
August '23
+53
in 0 channels
Get PRO
July '23
+51
in 0 channels
Get PRO
June '23
+42
in 0 channels
Get PRO
May '23
+43
in 0 channels
Get PRO
April '23
+67
in 0 channels
Get PRO
March '23
+65
in 0 channels
Get PRO
February '23
+45
in 0 channels
Get PRO
January '23
+67
in 0 channels
Get PRO
December '22
+62
in 0 channels
Get PRO
November '22
+71
in 0 channels
Get PRO
October '22
+70
in 0 channels
Get PRO
September '22
+55
in 0 channels
Get PRO
August '22
+44
in 0 channels
Get PRO
July '22
+54
in 0 channels
Get PRO
June '22
+78
in 0 channels
Get PRO
May '22
+46
in 0 channels
Get PRO
April '22
+77
in 0 channels
Get PRO
March '22
+105
in 0 channels
Get PRO
February '22
+48
in 0 channels
Get PRO
January '22
+61
in 0 channels
Get PRO
December '21
+99
in 0 channels
Get PRO
November '21
+68
in 0 channels
Get PRO
October '21
+170
in 0 channels
Get PRO
September '21
+72
in 0 channels
Get PRO
August '21
+104
in 0 channels
Get PRO
July '21
+72
in 0 channels
Get PRO
June '21
+292
in 0 channels
Get PRO
May '21
+1 344
in 0 channels
Date
Subscriber Growth
Mentions
Channels
11 July+6
10 July+6
09 July+5
08 July+7
07 July+9
06 July+4
05 July+7
04 July+9
03 July+10
02 July+3
01 July+4
Channel Posts
Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The https://thehackernews.com/2026/07/critical-zimbra-flaw-could-let-crafted_0483473395.html

2
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and https://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.html
25
3
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
21
4
Ghost Accounts Abuse GitHub API in Mass Recon Campaign Multiple campaigns are using ghost accounts to map GitHub organizations, including their repositories and members. The post Ghost Accounts Abuse GitHub API in Mass Recon Campaign appeared first on SecurityWeek. https://www.securityweek.com/ghost-accounts-abuse-github-api-in-mass-recon-campaign/
17
5
'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets A PNG hiding a prompt injection could steal your repo's secrets, researchers demonstrate. The technique, dubbed 'Ghostcommit,' slipped past AI code reviewers CodeRabbit and Bugbot, which never open image files at all, then convinced a coding agent to read a repo's .env and write every secret into the code as a list of numbers. [...] https://www.bleepingcomputer.com/news/security/ghostcommit-hides-prompt-injection-in-images-to-fool-ai-agents-steal-secrets/
18
6
Australia warns of global campaign targeting vulnerable CMS platforms The Australian Cyber Security Centre (ACSC) issued an alert about a global exploitation campaign targeting vulnerable content management systems (CMS) and plugins. [...] https://www.bleepingcomputer.com/news/security/australia-warns-of-global-campaign-targeting-vulnerable-cms-platforms/
19
7
Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was https://thehackernews.com/2026/07/injective-labs-github-compromise-pushes.html
103
8
URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
100
9
CISA Adds Two Known Exploited Vulnerabilities to Catalog CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-48939 iCagenda Unrestricted Upload of File with Dangerous Type Vulnerability CVE-2026-56291 Balbooa Forms Unrestricted Upload of File with Dangerous Type Vulnerability These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied. While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV Catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s KEV Nomination Form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance. https://www.cisa.gov/news-events/alerts/2026/07/10/cisa-adds-two-known-exploited-vulnerabilities-catalog
77
10
Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative Microsoft’s latest Secure Future Initiative report outlines progress on secure foundations, AI-powered defense, and future-ready cybersecurity. The post Securing our future: July 2026 progress report on Microsoft’s Secure Future Initiative appeared first on Microsoft Security Blog. https://www.microsoft.com/en-us/security/blog/2026/07/10/securing-our-future-july-2026-progress-report-on-microsofts-secure-future-initiative/
56
11
Network of 200 GitHub Repositories Used for Malware Infection A Go module is used to load PowerShell code that fetches a resolver from public dead drops to execute Windows malware. The post Network of 200 GitHub Repositories Used for Malware Infection appeared first on SecurityWeek. https://www.securityweek.com/network-of-200-github-repositories-used-for-malware-infection/
49
12
‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism Researchers demonstrate adversarial hallucination squatting against popular AI assistants to achieve remote code execution. The post ‘HalluSquatting’ Turns AI Hallucinations Into Botnet Delivery Mechanism appeared first on SecurityWeek. https://www.securityweek.com/hallusquatting-turns-ai-hallucinations-into-botnet-delivery-mechanism/
33
13
GigaWiper Combines Multiple Malware for System-Level Sabotage The backdoor’s destructive capabilities include a standalone wiper, ransomware encryption, and a multi-pass wiping command. The post GigaWiper Combines Multiple Malware for System-Level Sabotage appeared first on SecurityWeek. https://www.securityweek.com/gigawiper-combines-multiple-malware-for-system-level-sabotage/
29
14
Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers The attackers call victims to direct them to phishing websites mirroring Microsoft Entra ID login pages. The post Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers appeared first on SecurityWeek. https://www.securityweek.com/okta-warns-of-vishing-attacks-targeting-microsoft-365-customers/
30
15
China, India-Linked Hackers Both Targeted Same Pakistani Police Force Both foes and allies have targeted the Balochistan Police force in Pakistan for at least two years, according to SentinelOne. The post China, India-Linked Hackers Both Targeted Same Pakistani Police Force appeared first on SecurityWeek. https://www.securityweek.com/china-india-linked-hackers-both-targeted-same-pakistani-police-force/
29
16
Third US Security Expert Sentenced to Prison for Helping Ransomware Gang Angelo Martino, a former ransomware negotiator, was sentenced to 70 months for helping the BlackCat/Alphv group. The post Third US Security Expert Sentenced to Prison for Helping Ransomware Gang appeared first on SecurityWeek. https://www.securityweek.com/third-us-security-expert-sentenced-to-prison-for-helping-ransomware-gang/
28
17
In Other News: DHS Database Hacked, Adobe Boosts Patch Cadence, Canada Disrupts Ransomware Ops Other noteworthy stories that might have slipped under the radar: Abnormal AI sued by Anthropic, AssuranceAmerica data breach affects 7 million people, NSA brings back TAO. The post In Other News: DHS Database Hacked, Adobe Boosts Patch Cadence, Canada Disrupts Ransomware Ops appeared first on SecurityWeek. https://www.securityweek.com/in-other-news-dhs-database-hacked-adobe-boosts-patch-cadence-canada-disrupts-ransomware-ops/
29
18
Former ransomware negotiator gets 4 years for BlackCat attacks A former employee of cybersecurity incident response company DigitalMint was sentenced to 70 months in prison for targeting U.S. companies in BlackCat (ALPHV) ransomware attacks. [...] https://www.bleepingcomputer.com/news/security/us-ransomware-negotiator-gets-4-years-in-prison-for-blackcat-attacks/
29
19
Zimbra urges customers to patch critical web client XSS flaw The Zimbra security team urged customers to patch a critical vulnerability affecting the Classic Web Client used to access the Zimbra Collaboration suite. [...] https://www.bleepingcomputer.com/news/security/zimbra-urges-customers-to-patch-critical-web-client-xss-flaw/
27
20
The Replicant in Your Directory: AI Agents and the Identity Security Gap AI agents are accelerating the growth of non-human identities, making it harder for organizations to understand what exists, who owns it, and what it can access. Netwrix explains why stronger visibility and identity governance are essential as AI expands the enterprise attack surface. [...] https://www.bleepingcomputer.com/news/security/the-replicant-in-your-directory-ai-agents-and-the-identity-security-gap/
27