A CVSS 10.0 authentication bypass vulnerability CVE-2025-32975 was discovered in Quest KACE SMA, and active attack activity was confirmed starting the week of March 9, 2026. The patch was released in May 2025, but systems that have not been patched are being targeted for attacks.
Five vulnerabilities confirmed exploited by MuddyWater and DarkSword were added to the KEV catalog. Craft CMS is a CVSS 10.0 zero-day that has seen active exploitation since February, and Laravel Livewire is being used by MuddyWater against Middle East infrastructure.
A Magento product-option API bug allows unauthenticated uploads of polyglot files that execute PHP code. In nginx 2.0.0-2.2.x environments it becomes full RCE; in other setups it can lead to XSS and account takeover.
All four methods to avoid Azure Entra ID sign-in logs by exploiting SQL column overflow in RoPC flow have been disclosed. GraphGoblin issues access tokens valid with CVSS v4.0=8.7.
NVIDIA's NemoClaw protects OpenClaw agents with a four-layer sandbox, while Stripe's Machine Payments Protocol enables payments without handing over private keys to agents. How can I safely charge from within the sandbox?
A buffer overflow was discovered in the LINEMODE SLC handler of GNU Inetutils telnetd. No authentication required - root privileges can be gained just by connecting to port 23. All versions (~2.7) are affected and no patch has been released.
Cisco Secure FMC's unauthenticated RCE flaw CVE-2026-20131 (CVSS 10.0) was added to CISA's KEV catalog after Interlock ransomware had been abusing it for 36 days before Cisco's public disclosure. Amazon Threat Intelligence later dissected the toolkit in detail.
Added --autoConnect option to Chrome DevTools MCP server, allowing coding agents to connect directly to an existing browser session. A deep dive into the background of the MCP vs CLI debate, browser operations with OpenClaw, and the risks of authenticated session delegation.
GlassWorm has expanded to 72 Open VSX extensions, 151 GitHub repositories, and 88 npm packages, while a new supply-chain technique now abuses extensionDependencies as a delivery channel.
AI Security for Apps reached GA, letting Cloudflare block prompt injection and PII leaks at the WAF layer. On the same day, it also launched RFC 9457-compatible error responses that replace HTML with JSON or Markdown when AI agents hit Cloudflare errors.