Aggregator

US Tax Service Portal Allegedly Compromised: Root SSH Access to Client Database Offered for Sale

Google has confirmed a software bug that is preventing volume buttons from working correctly on Android devices with accessibility features enabled. [...]

AI Security Insights – January 2026

AI Security Insights – January 2026

Russian Eco-Fuel Company Palevo Allegedly Breached with 2021 User Registration Data Leaked

Microsoft’s January 2026 updates fix 114 vulnerabilities, with several remote code execution bugs rated critical across Office applications and Windows services such as LSASS. This Patch Tuesday addresses critical remote code execution flaws and numerous elevation of privilege issues that could enable attackers to compromise systems. Vulnerability Type Count Remote Code Execution 22 Denial of […]

The post Microsoft Patch Tuesday January 2026 – 114 Vulnerabilities Fixed Including 3 Zero-days appeared first on Cyber Security News.

Growing Third-Party Breach Trend Is Spreading to AI Suppliers
IT organizations have built processes for reducing vendor risk, but in the AI era, that operating model is being dismantled. Modern AI environments are built on dynamic external foundational models, countless APIs, open-source components and continuous data pipelines that pose risks.

Black Duck Researchers Discover Flaw in Widely Used Broadcom Chipset
A flaw in Broadcom chipsets commonly used in wireless routers allows attackers to repeatedly knock offline the 5 gigahertz band, no matter how strong the security settings, say researchers.

Fortinet disclosed a Server-Side Request Forgery (SSRF) vulnerability in its FortiSandbox appliance on January 13, 2026, urging users to update amid risks of internal network proxied requests. Tracked as CVE-2025-67685 (FG-IR-25-783), the flaw resides in the GUI component and stems from CWE-918, enabling authenticated attackers to craft HTTP requests that proxy traffic to internal plaintext […]

The post FortiSandbox SSRF Vulnerability Allow Attacker to proxy Internal Traffic via Crafted HTTP Requests appeared first on Cyber Security News.

A vulnerability was found in Espressif esp-usb up to 2.3.x. It has been declared as critical. This vulnerability affects unknown code of the component USB Video Class Device Handler. Executing a manipulation can lead to stack-based buffer overflow. This vulnerability is handled as CVE-2025-68622. The physical device can be targeted for the attack. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability labeled as critical has been found in DDSN Acora CMS 10.7.1. The impacted element is an unknown function of the component Password Reset Token Handler. Such manipulation leads to weak password recovery. This vulnerability is referenced as CVE-2025-63314. It is possible to launch the attack remotely. No exploit is available.

A vulnerability marked as critical has been reported in Espressif esp-usb up to 1.0.x. This affects the function usb_class_request_get_descriptor. Performing a manipulation results in use after free. This vulnerability is identified as CVE-2025-68656. The attack may be carried out on the physical device. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability was found in Espressif esp-usb up to 1.0.x. It has been rated as critical. This issue affects the function hid_host_device_close of the component USB Event Callback Handler. The manipulation leads to double free. This vulnerability is uniquely identified as CVE-2025-68657. It is possible to launch the attack on the physical device. No exploit exists. Upgrading the affected component is advised.

Attackers use a sophisticated delivery mechanism of text-only files for RAT deployment, showcasing a clever way to bypass defensive tools and rely on the target's own utilities.

A vulnerability was found in Envoy Proxy up to 1.5.6/1.6.1. It has been declared as critical. The affected element is an unknown function of the component EnvoyExtensionPolicy Lua Script Handler. The manipulation results in code injection. This vulnerability is known as CVE-2026-22771. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

Пример GS-10578 доказал: для полной остановки звездообразования не нужны катастрофы.

Node.js issued critical security updates across its active release lines on January 13, 2026, patching vulnerabilities that could lead to memory leaks, denial-of-service attacks, and permission bypasses. These releases address three high-severity flaws, among others, urging immediate upgrades for affected systems. High Severity Vulnerabilities High-severity issues dominate this release, with CVE-2025-55131 exposing uninitialized memory in […]

The post Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines appeared first on Cyber Security News.

A vulnerability was found in dfir-iris iris-web up to 2.4.23. It has been classified as critical. Impacted is an unknown function. The manipulation of the argument file_local_name leads to unrestricted upload. This vulnerability is traded as CVE-2026-22783. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability categorized as critical has been discovered in maximmasiutin TinyWeb up to 1.97 on Win32. This affects the function CreateProcess. Such manipulation leads to os command injection. This vulnerability is uniquely identified as CVE-2026-22781. The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.