Adobe released a patch on April 11, 2026 for a Prototype Pollution RCE in Acrobat Reader that had been exploited since December 2025. CVSS 8.6, Priority 1. Apply within 72 hours.
A 32-bit integer overflow in macOS's XNU kernel renders all new TCP connections impossible after 49.7 days of continuous uptime. Apple has not implemented the workaround defined in RFC 7323 over two decades ago.
The latest GlassWorm wave bundles Zig-compiled native binaries in an Open VSX extension and silently installs a second-stage payload across VS Code, Cursor, Windsurf, VSCodium, and Positron.
Google officially ships Device Bound Session Credentials (DBSC) to all Windows users in Chrome 146. By locking private keys inside the TPM, stolen cookies become useless on any other device.
A CVSS 9.3 unauthenticated RCE in the Marimo Python notebook was exploited within hours of advisory disclosure. Meanwhile, Astral published its comprehensive supply chain security posture for uv and ruff, covering CI/CD pipeline hardening, Trusted Publishing, and Sigstore attestation.
A research project reverse-engineered Google DeepMind's SynthID image watermark using FFT-based spectral analysis. The V3 bypass achieves 91% phase removal while maintaining SSIM 0.997. Is removing an invisible watermark copyright infringement? Analysis from DMCA, EU AI Act, and Japanese law perspectives.
The full picture of Operation Masquerade as disclosed by the FBI and NCSC. APT28 tampered with SOHO router DNS to intercept Outlook auth tokens — the techniques and countermeasures.
An Adobe Reader/Acrobat zero-day actively exploited since November 2025. A two-bug chain achieves sandbox bypass and RCE, affecting all versions including the latest. No patch available.
Anthropic's unreleased Claude Mythos Preview discovered thousands of zero-day vulnerabilities including a 27-year OpenBSD bug and a 16-year FFmpeg bug. Deemed too dangerous for public release, it ships exclusively through Project Glasswing to 12 founding partners.
The fix for CVE-2024-41110 missed the upper bound — request bodies over 1MB bypass AuthZ plugins. All Docker Engine versions before 29.3.1 are affected.
CVE-2025-59528: A Function() constructor-based arbitrary code execution vulnerability in Flowise's CustomMCP node is being actively exploited. Over 12,000 instances remain exposed on the internet.
A security scan of 50 open-source MCP servers found 61% lacked input validation. This article covers real vulnerabilities in high-profile servers like Playwright MCP and Puppeteer MCP, and examines when to skip MCP entirely and use CLI tools directly.