Pixel 10 zero-click, LiteSpeed root, Drupal SQL exploited
Google Project Zero published a 0-click exploit chain for the Pixel 10, demonstrating a path from zero-click context to root on Android. The chain adapts their Dolby exploit from Pixel 9 and adds a kernel vulnerability in the VPU driver, which exposes hardware interfaces to userspace.
LiteSpeed's cPanel plugin (CVE-2026-48172, CVSS 10.0) is under active exploitation, allowing attackers to run arbitrary scripts as root. The flaw impacts plugin versions 2.3-2.4.4 and is patched in version 2.4.5 (bundled in WHM plugin 5.3.1.0). Users should upgrade or remove the plugin immediately.
Qualys TRU disclosed CVE-2026-46333, a 9-year-old logic flaw in the Linux kernel's __ptrace_may_access() that lets unprivileged users escalate to root. The bug (present since 2016) enables credential disclosure (SSH keys, /etc/shadow) and arbitrary command execution on major Linux distributions. Patches are available; working exploits are circulating.
A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980, CVSS 9.4) is being actively exploited to compromise over 700 websites, including high-profile domains. Attackers steal admin API keys to inject JavaScript loaders that power ClickFix fake CAPTCHA attacks. The flaw, discovered by Anthropic's Claude, was patched in February 2026.
CISA added CVE-2026-9082 to its KEV catalog as Drupal's critical SQL injection flaw in Core sees active exploitation. Over 15,000 attack attempts hit nearly 6,000 sites across 65 countries, targeting PostgreSQL-backed deployments. Patches are available for all supported versions.
Anthropic's Project Glasswing, using Claude Mythos AI, uncovered over 10,000 high/critical-severity flaws across critical global software, with 1,094 confirmed true positives. A critical WolfSSL bug (CVE-2026-5194, CVSS 9.1) was among them. The findings have already led to 97 upstream patches.
Unit 42 details Iranian APT Screening Serpens using AppDomainManager hijacking and six new RAT variants to target technology and defense sectors in the US, Israel, and UAE during 2026 espionage campaigns tied to Middle East conflict.
Fox-IT reveals Lazarus Group's RemotePE, a cross-platform memory-only RAT targeting financial and crypto firms. It uses DPAPILoader and RemotePELoader in a multi-stage chain, executing entirely in memory with EDR evasion. The toolset is purpose-built for stealthy long-term access before high-impact theft.
A coordinated cross-ecosystem supply chain attack codenamed TrapDoor has hit npm, PyPI, and Crates.io with 34+ malicious packages across 384 versions. The packages deploy credential-stealing malware targeting crypto, DeFi, Solana, and AI developers, stealing secrets, crypto wallets, and SSH keys.
An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repos in six hours, injecting Actions workflows that exfiltrate CI secrets and cloud credentials. SafeDep identified two payload variants, a mass variant and a dormant backdoor, with one impacted npm package propagating the malware.
Trail of Bits released gosentry, a fuzzing-oriented fork of the Go toolchain that integrates LibAFL, adds structured input parsing, grammar-based fuzzing, and detects bug classes like integer overflows and data races. It works with existing Go fuzz harnesses through the standard `go test -fuzz` interface.
Trail of Bits hardened zizmor, a GitHub Actions static analyzer, following the March 2026 Shai-Hulud supply chain attack. They fixed parsing bugs and deserialization edge cases, validated against 41,253 workflows from 6,612 high-value repos. The effort yielded 20 filed issues and 15 merged PRs.
CISA launched a nomination form allowing researchers, vendors, and industry partners to report exploited bugs for addition to the Known Exploited Vulnerabilities (KEV) catalog. The move crowdsources exploitation intelligence to accelerate KEV additions and defensive action across the ecosystem.
A CISA contractor publicly posted AWS GovCloud keys and agency secrets on GitHub via a profile called "Private-CISA." Lawmakers in both houses are demanding answers from CISA, which is still struggling to contain the breach. Experts noted the contractor deliberately disabled GitHub's credential-leak protections.
A CISA contractor exposed highly privileged AWS GovCloud credentials and internal system passwords in a public GitHub repository. Security researchers called it one of the worst government data leaks in recent history, with the admin having deliberately disabled GitHub's secret detection feature.
Dutch authorities arrested two hosting company co-owners for providing IT infrastructure used by Russia in cyberattacks and disinformation campaigns against the EU. More than 800 servers were seized in raids targeting MIRhosting and WorkTitans BV, which supported the sanctioned Stark Industries network.
Subscribe free