> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
Three High-Severity Command Injection Flaws in AWS Research and Engineering Studio Give Authenticated Users Root RCE
AWS patches three CVSS 8.8 command injection and privilege escalation bugs in Research and Engineering Studio (RES) β any authenticated user could get root on virtual desktop hosts or the cluster manager.
Flowise AI Under Active Exploitation: CVSS 10.0 RCE via CustomMCP Node Hits 12,000+ Exposed Instances
Critical unauthenticated RCE in Flowise AI's CustomMCP node (CVE-2025-59528, CVSS 10.0) is under active exploitation. Over 12,000 instances are exposed. Patch to 3.0.6 immediately.
Storm-1175 Chains Zero-Days to Deploy Medusa Ransomware in Under 24 Hours
Microsoft exposes Storm-1175 as a primary Medusa ransomware affiliate, weaponizing zero-days in SmarterMail and GoAnywhere MFT with sub-24-hour dwell times.
Akira Ransomware Now Encrypts in Under an Hour: SonicWall VPNs Are the Front Door
Akira ransomware operators are completing full attack chains from initial VPN access to encryption in under 60 minutes, targeting SonicWall SSL VPNs even on patched devices.
CVE-2026-23442: Remote Kernel Panic via SRv6 NULL Pointer Dereference Threatens IPv6 Infrastructure
A CVSS 8.2 flaw in the Linux kernel's SRv6 implementation lets remote attackers crash systems with crafted IPv6 packets. Patches are outβupdate now.
CVE-2026-34612: Kestra SQL Injection Chains to Host RCE via PostgreSQL COPY TO PROGRAM
Critical CVSS 9.9 flaw in Kestra orchestration platform lets authenticated attackers chain SQL injection through PostgreSQL COPY TO PROGRAM for arbitrary command execution on the Docker host.
CVE-2026-32211: Azure MCP Server Ships with No Auth β Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
Ubiquiti UniFi Network Application Hit With CVSS 10 Path Traversal β Unauthenticated Account Takeover Possible
CVE-2026-22557 is a maximum-severity path traversal in Ubiquiti UniFi Network Application that enables unauthenticated full account takeover. Chain it with CVE-2026-22558 for admin escalation. Patch to 10.1.89 immediately.
Device Code Phishing Attacks Surge 37x as EvilTokens PhaaS Fuels OAuth Abuse Against Microsoft 365
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant have surged 37x in 2026, driven by turnkey PhaaS kits like EvilTokens that bypass MFA and compromise enterprise M365 tenants.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
36 Malicious npm Packages Disguised as Strapi Plugins Deploy Redis Exploits, PostgreSQL Credential Harvesting, and Persistent Implants
A coordinated campaign planted 36 fake Strapi CMS plugins on npm that exploit Redis and PostgreSQL instances, harvest credentials, and install persistent C2 implants targeting production infrastructure.
Severity Drift: Why Your Vulnerability Triage Process Is Working With Bad Data
From silent reclassifications to incomplete patches to NVD enrichment backlogs, the severity data your vuln management program depends on is wrong more often than you think. Here's the proof β and what to do about it.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server β No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
$285M Gone in 12 Minutes: DPRK-Linked Attackers Weaponize Solana Durable Nonces to Gut Drift Protocol
North Korean threat actors drained $285M from Solana's largest perpetual futures exchange by weaponizing durable nonces, fabricating a fake token, and socially engineering governance multisig signers.
Ransomware Hits Minot Water Treatment Plant SCADA System, FBI Investigating
Ransomware compromised the SCADA server at Minot, North Dakota's water treatment plant, forcing 16 hours of manual operations. FBI released a statement today confirming active investigation.
FortiClient EMS Zero-Day Under Active Exploitation β Emergency Hotfixes Released (CVE-2026-35616)
Critical API authentication bypass in FortiClient EMS 7.4.5β7.4.6 is being exploited in the wild. CVSS 9.1. Hotfixes available now.
Ni8mare: CVSS 10.0 Unauthenticated RCE in n8n Workflow Automation (CVE-2026-21858)
A CVSS 10.0 content-type confusion bug in n8n's webhook handler lets unauthenticated attackers read arbitrary files, steal credentials, forge admin sessions, and achieve full RCE. Patch to 1.121.0 immediately.
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE β with ~30,000 Storage Zone Controllers exposed and a public POC now available.
European Commission Confirms Cloud Breach β Trivy Supply Chain Attack Cascades Into 30+ EU Entities
The European Commission confirms a data breach affecting 30+ EU entities after the compromised Trivy scanner leaked AWS API keys to TeamPCP. ShinyHunters published 92 GB of stolen data.
CVE-2026-33186: gRPC-Go Auth Bypass Lets Attackers Skip Deny Rules With a Missing Slash
A critical CVSS 9.1 flaw in gRPC-Go lets unauthenticated attackers bypass path-based authorization by omitting the leading slash from HTTP/2 :path headers.