vulnerability

A critical SolarWinds Web Help Desk vulnerability (CVE-2025-26399) allows attackers to execute commands via deserialization flaws. CISA warns organizations to patch immediately.

Query injection threatens AI agents—learn how hackers alter prompts, the risks, and defenses to secure autonomous systems.

GDI flaws in Windows allow remote code execution—learn about the CVEs, risks, and patches to secure your system from EMF-based attacks.

CVE-2025-11001 and CVE-2025-11002 in 7-Zip allow code execution via malicious ZIPs—update to v25.00, disable symlinks, and use antivirus to avoid path traversal attacks.

Critical command injection flaw in Figma's MCP server (CVSS 7.5) allows RCE via unsanitized inputs in curl fallback; patched in v0.6.3. Imperva warns of risks in AI dev tools like Cursor—avoid exec with untrusted data amid rising LLM threats like Gemini's ASCII smuggling.

Unspecified flaw in Oracle E-Business Suite's BI Publisher Integration allows unauthenticated HTTP attacks to hijack Concurrent Processing, exploited in ransomware campaigns. Apply patches, follow BOD 22-01 guidance, or discontinue use to protect enterprise operations from data encryption and downtime.

DeepMind's CodeMender uses Gemini models to spot, patch, and rewrite vulnerable code, upstreaming 72 fixes to OSS projects. Google launches AI VRP for threat reports up to $30K and updates SAIF v2 to combat AI risks like prompt injections—empowering developers against cyber threats.

CVE-2025-56383 exposes Notepad++ v8.8.3 and earlier to DLL hijacking attacks, allowing local code execution via malicious plugins like NppExport.dll. PoC shows persistence risks—update now and monitor for infections until patched.

SolarWinds patches CVE-2025-26399 (CVSS 9.8), a deserialization flaw in Web Help Desk allowing unauthenticated RCE; it's a bypass of CVE-2024-28988. Affects versions up to 12.8.7—upgrade to HF1. Discovered by Trend Micro ZDI; Qualys QID 733223 for detection.

A zero-click flaw in ChatGPT’s Deep Research agent allowed attackers to exfiltrate sensitive Gmail data via hidden email prompts. OpenAI patched the service-side vulnerability in 2025 to prevent stealthy data leaks from its cloud infrastructure.