In a newly identified campaign, internally referred to as Boto Cor-de-Rosa, our researchers discovered that Astaroth now exploits WhatsApp Web as part of its propagation strategy.

Or Why You Can't Regex Your Way to Agent Security

Two CVSS 10 flaws (CVE-2025-69425 & CVE-2025-69426) hit Ruckus vRIoT. Hardcoded secrets allow attackers to seize root access. Update to v3.0.0.0 now.

The largest free directory of open source security tools. Join 2,600+ professionals who get a weekly, expert-curated newsletter of the best tools.

Horizon3.ai details CVE-2025-64155, revealing chained FortiSIEM vulnerabilities enabling remote code execution and root access, analysis of the root cause, and indicators of compromise.

Fortinet EMS Remote Code Execution. How one tiny img tag was all we needed to escalate our access to a full remote code execution.

Tenzai researchers tested Cursor, Claude Code, Codex, Replit, and Devin. Every AI coding agent shipped vulnerable code. Here’s what broke - and why it matters.

Exploring security blunders in Bluspark Global’s BLUVOYIX, an ocean logistics / supply chain platform used by hundreds of the world’s largest companies.

Introduction

Desoldering a drone's flash chip and reconstructing the firmware from broken data.

Varonis Threat Labs discovered a way to bypass Copilot’s safety controls, steal users’ darkest secrets, and evade detection.

Cymulate Research Labs uncovered CVE-2026-20965, a token validation flaw in Azure Windows Admin Center enabling tenant-wide RCE and lateral movement.

IHackAI (ihackai.com) - Master AI security through hands-on challenges. Learn prompt injection, jailbreaking, and defense strategies.

85% of Fortune 500 exposed. Learn how AI agents need purpose-built security, not retrofitted legacy authentication.

Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1.

A remote webpage can abuse an unauthenticated guest HTTP API to compromise the Windows guest container, then feed a malicious app entry leading to Linux host code execution on click.

Introduction This write-up consolidates several XS-Leak issues discovered across Meta-owned platforms, including Facebook, Workplace, Meta for Work, and internal Meta surfaces.

Introduction Meta’s web ecosystem relies on cross-window messaging between first-party websites. In many cases, the only security control enforced is an origin check validating that messages originate from facebook.com or its subdomains.