Briefs

A supply chain attack targets agent skill marketplaces by exploiting GitHub username hijacking, allowing threat actors to intercept skill downloads from vulnerable repositories, with scanners showing significant disagreement on malicious skill identification and embedded live API credentials discovered.

Axessh 4.2 is vulnerable to a stack-based buffer overflow in the log file name field, allowing local attackers to execute arbitrary code by supplying an excessively long filename.

DVDXPlayer Pro 5.5 is vulnerable to a local buffer overflow, allowing local attackers to execute arbitrary code by crafting malicious playlist files.

A guest VM issuing a Xenstore command with the node path '/local/domain/' can crash xenstored (CVE-2026-23555), or, if NDEBUG is defined, cause denial of service by consuming all CPU resources.

Jsrsasign versions before 11.1.1 are vulnerable to an incorrect conversion between numeric types vulnerability, where an attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.

jsrsasign versions before 11.1.1 are vulnerable to a missing cryptographic step in the DSA signing implementation, allowing an attacker to recover the private key by manipulating the signature generation process.

Jsrsasign versions before 11.1.1 are vulnerable to an infinite loop via the bnModInverse function when processing zero or negative inputs, potentially leading to a denial of service.

A stack-based buffer overflow vulnerability exists in Belkin F9K1122 version 1.00.33, allowing remote attackers to execute arbitrary code by manipulating the 'webpage' argument in the 'formWISP5G' function.

A stack-based buffer overflow vulnerability (CVE-2026-4567) exists in the UploadCfg function of the /cgi-bin/UploadCfg file in Tenda A15 firmware version 15.13.07.13, allowing remote attackers to execute arbitrary code by manipulating the File argument.

A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.

The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

The open-source Inner Warden project is a security agent leveraging eBPF for kernel-level monitoring and autonomous response actions like IP blocking and process termination, aiming to create a distributed security mesh.

TeamPCP deployed the CanisterWorm malware on the NPM package registry following a compromise of the Trivy scanning tool.

The widely used Trivy scanner has been compromised in an ongoing supply chain attack, potentially impacting numerous organizations using the tool for vulnerability management.

GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.

A maliciously crafted `.claude/settings.json` file in a Claude Code repository (versions prior to 2.1.53) can bypass the workspace trust confirmation dialog by exploiting a configuration loading order defect, allowing for arbitrary code execution within a supposedly untrusted workspace.

Multiple critical vulnerabilities in Quest KACE Systems Management Appliance (SMA), including authentication bypass and 2FA bypass, allow unauthenticated attackers to achieve system takeover and cause denial of service; active exploitation is reported.

The RagaSerpent cluster, also known as SideWinder-Adjacent, is conducting targeted attacks across multiple countries between 2025 and 2026, associated with a 'Tax Audit' themed campaign.

Attackers hijacked 75 tags associated with the Trivy Security Scanner GitHub Actions to steal CI/CD secrets from users of the compromised tags.

A combination of path traversal (CVE-2026-22557) and NoSQL injection (CVE-2026-22558) vulnerabilities in the UniFi Network Application allows attackers to access files, escalate privileges, and potentially compromise the entire system.

The Speagle malware hijacks the Cobra DocGuard application to exfiltrate sensitive data from infected machines to attacker-controlled Cobra DocGuard servers, effectively masking malicious traffic as legitimate DocGuard communication.

A China-nexus threat actor is utilizing Google Calendar as a command and control (C2) infrastructure to conduct stealthy operations.

CVE-2026-20963, a SharePoint deserialization vulnerability, is under active exploitation and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching and auditing of potentially compromised data.

An unprivileged user may exploit CVE-2026-3888 to escalate privileges to root by creating malicious files in the /tmp/.snap directory.

Law enforcement has disrupted significant IoT botnets responsible for launching record-breaking distributed denial-of-service (DDoS) attacks, impacting the availability of targeted systems.

VoidStealer leverages Chrome debugging capabilities to extract sensitive information, such as credentials and session cookies, directly from the browser's memory.

A Russian APT group is exploiting a Zimbra XSS vulnerability (details unspecified) to target the Ukrainian government in an operation dubbed 'GhostMail'.

SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.

Vulnerabilities in Paxton Net2 Access Control Units (ACUs) could allow unauthorized remote access and control of secured doors, potentially affecting prisons and other high-security facilities.

CISA is urging hardening of endpoint management systems following a cyberattack against a US organization, highlighting the potential for significant impact via compromised management infrastructure.