LiquidJS, a templating library with 7 million monthly downloads, lets attackers run any code on your server through a crafted template string. No login required. Public exploit available.
7 waves. 170+ packages. VS Code extensions. Jenkins plugins. A self-propagating worm. And they breached GitHub itself. Here's the full timeline of the most prolific supply chain campaign of 2026.
A 19-year-old flaw in how Linux handles SMB/CIFS file shares lets any local user become root. If your office uses shared drives on a Linux server, you need to patch today.
An unauthenticated CRLF injection in cPanel gives full root control. If your website runs on shared hosting, your host might already be compromised. CVSS 9.8.
LiteLLM, the proxy that manages your AI API keys, has a pre-auth SQL injection. CVSS 9.8. On CISA KEV. Exploited 36 hours after disclosure. Every API key it stores is compromised.
A use-after-free in Redis's Lua engine has been there since 2012. CVSS 10.0. Demonstrated at Pwn2Own. If your app uses Redis for caching or sessions, you need to check your version.
Attackers exploited FortiClient EMS to push a credential stealer disguised as a Fortinet firmware update. Your endpoint management system delivered the malware for them. You can't make this up.
An attacker exploited a Marimo notebook, let an LLM agent do the post-exploitation, and it dumped an entire PostgreSQL database in 4 pivots. This is the first documented LLM-agent intrusion in the wild.
Any user can get remote code execution on a Gogs server through a malicious branch name. The maintainer was told in March. It's still not fixed. There's a public exploit. Self-hosters, good luck.
CISA just added this Palo Alto GlobalProtect vulnerability to the Known Exploited Vulnerabilities catalog. If your VPN runs on PAN-OS, your remote workers might not be the only ones connecting.
An unauthenticated attacker can reach internal services and steal credentials through GitHub Enterprise Server. If GitHub can ship an SSRF, what's hiding in your infrastructure?
The biggest supply chain attack in npm history just happened. 160+ packages compromised. If you had auto-updates on, you swallowed the poison automatically. Here's what to do instead.
Gitea's container registry had a critical access control flaw that let anyone pull 'private' images without authentication. It went undetected for nearly four years. 30,000 deployments affected.
A single slash in the HTTP Host header bypasses authentication on FastAPI, vLLM, MCP servers, and basically every Python AI service. 325 million downloads per week affected.
Three CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS. 100,000 exposed devices. No authentication required. If you run UniFi gear, patch right now.
Anonymous SQL injection in Drupal core. No login required. On CISA KEV. Mass scanning started within days. If you run Drupal on PostgreSQL, patch right now or take it offline.
A poisoned VS Code extension breached GitHub's internal repos. 3,800 repositories. 18 minutes. If you install extensions without thinking, you need to read this.
The third Linux kernel privilege escalation in six weeks. This one steals your passwords and SSH keys on the way up. Working exploits are public. Patch now.
Set one HTTP header and skip all middleware. Authentication, authorization, rate limiting, all of it. CVE-2025-29927. Confirmed exploitation in the wild. If you run Next.js, update now.
Three CVEs. CVSS 10.0. The Node.js sandbox library used by AI agents, online code runners, and plugin engines can be escaped with a WebAssembly trick. The sandbox was never safe.
A crafted email is all it takes. Open it in Outlook Web Access and an attacker runs JavaScript in your browser. No patch yet. Here's what to do if you run Exchange on-prem.
The Checkmarx Jenkins plugin, installed to find vulnerabilities in your code, was itself compromised with an infostealer. CVE-2026-33634. CVSS 9.4. Every secret in your CI/CD pipeline was exfiltrated.
Two new kernel vulnerabilities chain together for race-free root on every major distro. Exploited within 24 hours of disclosure. Same primitive class as Dirty Pipe and CopyFail. Patch your servers.
Palo Alto firewalls are being exploited for root-level code execution. SonicWall and Fortinet are getting hit too. 56% of compromised networks trace back to a firewall. The irony is painful.
A 9-year-old kernel bug. 732-byte exploit. Works identically on Ubuntu, RHEL, Debian, Fedora, Amazon Linux. No race condition needed. On CISA KEV. Patch your servers.
CVSS 9.8. No authentication required. An attacker can impersonate any user in your Webex org, access meetings, files, and conversations. Here's what you need to know.
A meeting participant can execute code on your Zoom infrastructure. CVSS 9.9. If you self-host Zoom rooms or use on-prem Zoom infrastructure, this is an emergency.
The Dutch data authority. The European Commission. Finland. The Council for the Judiciary. All breached through Ivanti EPMM zero-days. CVSS 9.8. If you manage mobile devices with Ivanti, check your version now.