Apache Tomcat has disclosed CVE-2026-24733, a Low-severity security constraint bypass that can be triggered via HTTP/0.9 requests when certain access-control rules are configured in a specific way. The Apache Tomcat security team identified the issue, and the original advisory was published on 2026-02-17. At a high level, the vulnerability stems from Tomcat not restricting HTTP/0.9 […]
The post Apache Tomcat Vulnerabilities Let Attackers Bypass Security Constraints via HTTP/0.9 Requests appeared first on Cyber Security News.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Three critical vulnerabilities have been found in four popular Visual Studio Code extensions. These extensions have been downloaded over 128 million times. The vulnerabilities are identified as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717. The findings from the OX Security Research team, later confirmed on Cursor and Windsurf IDEs, expose a systemic blind spot in modern software supply […]
The post Critical Vulnerabilities in VS Code Extensions Threaten 128 Million Developer Environments appeared first on Cyber Security News.
Large language models, commonly known as LLMs, are increasingly being asked to generate passwords — and new research has shown that the passwords they produce are far weaker than they appear. A password like G7$kL9#mQ2&xP4!w may look convincingly random, but it carries a fundamental flaw that standard password-strength tools consistently miss. The core problem lies in how […]
The post LLM-Generated Passwords Expose Major Security Flaws with Predictability, Repetition, and Weakness appeared first on Cyber Security News.
A public proof-of-concept exploit has been released for CVE-2026-2441, a critical use-after-free zero-day vulnerability in Google Chrome’s Blink CSS engine that Google confirmed is being actively exploited in the wild. Security researcher Shaheen Fazim reported the flaw on February 11, 2026, and Google issued an emergency patch just two days later. Classified as Chrome’s first […]
The post PoC Released for Critical Chrome 0-day Vulnerability Exploited in the Wild appeared first on Cyber Security News.
Three Silicon Valley engineers have been indicted for allegedly stealing confidential technology data from Google and other major companies and transferring that information to unauthorized locations, including Iran. The defendants Samaneh Ghandali (41), Mohammadjavad “Mohammad” Khosravi (40), and Soroor Ghandali (32), all residents of San Jose, were arrested and appeared before a federal court in San Jose […]
The post Silicon Valley Engineers Charged With Stealing Trade Secrets From Google and Other Tech Companies appeared first on Cyber Security News.