VulnHub

GitLab has issued a security patch for a serious vulnerability that allows attackers to bypass two-factor authentication (2FA) in both its community and enterprise editions. This flaw could potentially give unauthorized users access to sensitive accounts if exploited. Additionally, GitLab addressed issues related to denial-of-service (DoS) attacks, which could disrupt services for legitimate users. The company advises all users to update their systems promptly to mitigate these risks. This situation emphasizes the importance of keeping software up to date to protect against emerging threats.

A recent study has uncovered that 64% of third-party applications are accessing sensitive user data without proper authorization. This alarming statistic raises concerns about data privacy and security, particularly for users who may unknowingly grant permissions to these applications. The research suggests that many apps do not have adequate safeguards in place to protect sensitive information, which could lead to unauthorized data exposure. This issue affects a wide range of applications across various platforms and industries, putting personal and organizational data at risk. Users and companies must be more vigilant about the permissions they grant to third-party apps to safeguard their sensitive information.

Security researchers successfully exploited Tesla's Infotainment System during the Pwn2Own Automotive 2026 competition, demonstrating 37 zero-day vulnerabilities on the first day. They earned a total of $516,500 for their exploits, which showcase significant flaws in the system. This incident raises concerns about the security of Tesla vehicles and the potential risks they pose to users. As more vehicles become connected, the implications of such vulnerabilities could extend beyond just infotainment systems, affecting critical vehicle functions and user safety. Companies like Tesla need to prioritize addressing these vulnerabilities to protect their customers and maintain trust in their technology.

MITRE has introduced the Embedded Systems Threat Matrix (ESTM), a new framework designed to enhance the security of critical embedded systems. This initiative aims to assist organizations in identifying and mitigating potential threats that target their embedded devices, which are increasingly integral to various industries, from automotive to healthcare. By providing a structured approach to understanding vulnerabilities and attack vectors, the ESTM seeks to bolster defenses against cyber threats that could compromise the functionality and safety of these systems. This development is particularly relevant as the reliance on embedded technology continues to grow, making it essential for companies to adopt better security practices. The framework is expected to serve as a valuable resource for organizations looking to strengthen their cybersecurity measures in this area.

A security lapse at a Carlsberg exhibition exposed attendees' personal information due to a poorly secured wristband system. This system allowed unauthorized access to sensitive data, such as visitor photos, videos, and full names. Despite attempts by a researcher to report the vulnerability, their concerns were ignored for several months, raising questions about the company's response to security issues. The incident underscores the need for better data protection practices, especially at public events where personal information is collected. This breach not only affects the individuals whose data was exposed but also damages Carlsberg's reputation as a secure event organizer.

In January 2026, Oracle released its first Critical Patch Update (CPU) of the year, addressing approximately 230 unique vulnerabilities across over 30 of its products. This update includes a total of 337 new security patches, which users are encouraged to apply to protect their systems. These vulnerabilities could potentially expose systems to various security risks, making it crucial for affected organizations to implement the patches promptly. The update reflects Oracle's ongoing commitment to security, as it aims to mitigate risks associated with its software products. Users and administrators should ensure they are running the latest versions to safeguard against potential exploitation.

The City of London Police has launched the UK's national Report Fraud service, aimed at improving the way economic crimes are reported and handled across the country. This new service is designed to streamline the reporting process for victims of fraud, making it easier for individuals and businesses to report incidents. By consolidating various reporting channels into one platform, the initiative hopes to enhance the response to economic crime and support victims more effectively. This move comes as fraud continues to rise, affecting countless individuals and businesses. The service is expected to provide better data collection and analysis, which could lead to more successful investigations and prosecutions.

A new malware framework called VoidLink has been identified as a sophisticated threat targeting Linux systems. Research from Check Point indicates that this framework was likely developed by an individual with the help of artificial intelligence. The malware has reached an impressive 88,000 lines of code, showcasing its complexity and potential for damage. The findings also reveal operational security mistakes made by the author, which provided insights into its creation. This development is concerning for Linux users and organizations, as it points to an increasingly advanced and potentially widespread malware landscape.

Deloitte's latest report warns that businesses are rapidly adopting agentic AI systems without adequate safety measures in place. While these AI tools promise to enhance productivity, they also introduce significant risks that many companies may not fully understand. The report emphasizes that the pace of AI deployment is outstripping the development of necessary safety protocols, which could lead to serious security vulnerabilities. This situation raises concerns for organizations that might be exposing themselves to cyber threats as they integrate these technologies. As the reliance on AI grows, it's crucial for businesses to prioritize safety and implement comprehensive security frameworks to protect against potential risks.

SK Telecom, a leading telecommunications company in South Korea, is challenging a hefty $91 million fine imposed by the Personal Information Protection Commission. This penalty was a result of a cyberattack in April that compromised the personal data of all 23 million of the company's users. The breach raised significant concerns about data security and the responsibilities of companies to protect customer information. By contesting the fine, SK Telecom is not only seeking to mitigate financial repercussions but also potentially setting a precedent for how data breaches are handled in the future. This incident serves as a reminder of the ongoing risks companies face in safeguarding sensitive user data.

A new infostealer malware called SolyxImmortal has emerged, believed to be developed by a Turkish-speaking hacker. This malware allows attackers to covertly monitor users and steal sensitive data by utilizing legitimate application programming interfaces (APIs) and third-party libraries, making detection more difficult. The exact targets of this malware have not been specified, but its stealthy nature poses a significant risk to individuals and organizations that rely on affected software. As cybercriminals continuously evolve their tactics, it’s crucial for users to remain vigilant and ensure their systems are secure against such threats.

The Everest ransomware group has claimed responsibility for a data breach involving McDonald's India, potentially affecting customer information. This incident raises significant concerns about the security of customer data, as ransomware attacks often lead to sensitive information being stolen or compromised. McDonald's India has not yet confirmed the breach or provided details about the extent of the data involved. Ransomware attacks like this can damage a company's reputation and erode customer trust, especially in a market where data privacy regulations are becoming stricter. As the situation unfolds, customers and stakeholders will be closely monitoring how McDonald's responds and what measures are put in place to prevent future incidents.