LiquidJS, a templating library with 7 million monthly downloads, lets attackers run any code on your server through a crafted template string. No login required. Public exploit available.
An unauthenticated CRLF injection in cPanel gives full root control. If your website runs on shared hosting, your host might already be compromised. CVSS 9.8.
380,000 AI-built apps deployed with zero security review. 45% of AI-generated code has OWASP Top 10 vulnerabilities. An AI social network leaked its entire database in 3 days. But sure, ship it.
Anonymous SQL injection in Drupal core. No login required. On CISA KEV. Mass scanning started within days. If you run Drupal on PostgreSQL, patch right now or take it offline.
Set one HTTP header and skip all middleware. Authentication, authorization, rate limiting, all of it. CVE-2025-29927. Confirmed exploitation in the wild. If you run Next.js, update now.
30-40% of WordPress sites are running plugins with known vulnerabilities. A supply chain attack just backdoored 400,000 sites through trusted plugin updates. If you run WordPress, read this.