Articles tagged "Vulnerability"

Found 937 articles

Attackers are exploiting a vulnerability in Funnel Builder, a tool used by online stores, to inject e-skimmers. These malicious scripts can steal payment information from unsuspecting customers during transactions. This incident affects e-commerce platforms that utilize Funnel Builder, potentially putting sensitive customer data at risk. As the holiday shopping season approaches, the urgency to address this vulnerability increases, as attackers may ramp up their efforts to exploit it. Companies using this tool should prioritize patching the identified bug to protect their customers and maintain trust.

Read Original
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

The Hacker News

Actively Exploited

A serious vulnerability in NGINX, tracked as CVE-2026-42945, is currently being exploited in the wild, just days after it was disclosed. This flaw is a heap buffer overflow in the ngx_http_rewrite_module, which affects NGINX Plus and NGINX Open versions from 0.6.27 to 1.30.0. The CVSS score of 9.2 indicates a high severity, as it could lead to worker crashes and potentially allow remote code execution (RCE). Organizations using affected versions should prioritize patching their systems to prevent exploitation. Given the active nature of this threat, immediate action is crucial for maintaining security.

Read Original

Last week, Cisco released a patch for a zero-day vulnerability affecting its SD-WAN product. This flaw could allow attackers to gain unauthorized access to the network and potentially disrupt services. Meanwhile, a previously unpatched vulnerability in Microsoft Exchange Server has been actively exploited by attackers, putting many organizations at risk. These incidents highlight the ongoing challenges companies face in securing their systems against evolving threats. It’s crucial for affected users to apply the latest patches and take proactive measures to protect their networks.

Read Original

A serious vulnerability in the Funnel Builder plugin for WordPress is currently being exploited by attackers to inject harmful JavaScript into WooCommerce checkout pages. This manipulation aims to capture sensitive payment information from users during transactions. The situation was reported by Sansec, revealing that this flaw does not yet have an official Common Vulnerabilities and Exposures (CVE) identifier. Website owners using this plugin should be particularly vigilant, as the lack of a CVE means there may not be a widely known fix available at this time. This incident poses a significant risk, especially for e-commerce sites that rely on WooCommerce for processing payments.

Read Original

A vulnerability in the Funnel Builder plugin for WordPress, which is used by over 40,000 websites, has been exploited by attackers to steal payment data. This flaw allows unauthenticated users to change global settings through an unprotected checkout endpoint. As a result, any website using this plugin could be at risk of having sensitive payment information compromised. Website owners should take immediate action to secure their sites, as the potential for financial loss and damage to customer trust is significant. This incident serves as a reminder for users to regularly update their plugins and monitor for security patches.

Read Original

A serious vulnerability in the Funnel Builder plugin for WordPress is being exploited by attackers to inject harmful JavaScript into WooCommerce checkout pages. This allows them to steal customers' credit card information during transactions. The exploit is particularly dangerous as it targets e-commerce sites using the WooCommerce platform, affecting both businesses and their customers. Website owners using this plugin should take immediate action to protect their customers and their own financial interests. The ongoing exploitation of this bug highlights the need for vigilance in securing online payment systems.

Read Original
CVE-2026-42897: Microsoft confirms active exploitation of Exchange Server zero-day

Security Affairs

Actively Exploited

Microsoft has confirmed that a new zero-day vulnerability in Exchange Server, identified as CVE-2026-42897, is being actively exploited by attackers. This vulnerability has a CVSS score of 8.1, indicating a high level of severity. It stems from improper handling of user input during web page generation, which can lead to cross-site scripting (XSS) attacks. Organizations using affected versions of Exchange Server are at risk, as attackers could exploit this flaw to execute malicious scripts in the context of users' browsers. Microsoft urges users to take immediate action to protect their systems and data from potential breaches.

Read Original

Cisco has released a patch for a serious security vulnerability (CVE-2026-20182) affecting its Catalyst SD-WAN solutions. This flaw allows attackers to bypass authentication in both the Catalyst SD-WAN Controller and the Catalyst SD-WAN Manager, which are critical components for managing SD-WAN deployments. The vulnerability has been actively exploited by a sophisticated cyber threat actor, putting both on-premises and cloud users at risk. Organizations using these Cisco products should prioritize applying the patch to safeguard their networks from potential breaches. Failure to address this vulnerability could lead to unauthorized access and significant security incidents.

Read Original

Microsoft has issued a warning regarding a zero-day vulnerability in Exchange Server, identified as CVE-2026-42897, which is currently being exploited by attackers. This vulnerability affects various versions of Exchange Server, putting organizations that use this software at risk. Microsoft has not yet released a permanent patch but has provided interim mitigations to help secure affected systems. Users and administrators are urged to implement these mitigations to protect their environments until a comprehensive fix is available. The active exploitation of this vulnerability underscores the urgency for affected organizations to take immediate action.

Read Original
Actively Exploited

Recent findings reveal that some AI-driven video age-verification systems can be easily deceived using simple disguises, like a fake mustache. This raises significant concerns for platforms relying on these systems to prevent underage access to content. Researchers demonstrated that these AI checks, designed to ensure compliance with age restrictions, may not be as secure as intended. The implications of this vulnerability could be serious, as it allows minors to bypass safeguards meant to protect them. Companies that implement age-verification measures need to reassess their systems to ensure they cannot be easily tricked and to better protect their users.

Read Original

Microsoft has issued a warning about a serious cross-site scripting (XSS) vulnerability, identified as CVE-2026-42897, affecting on-premises versions of Microsoft Exchange Server. This vulnerability allows unauthorized attackers to spoof users over a network, posing significant risks to organizations that have not yet applied any fixes. The affected versions include Microsoft Exchange Server Subscription Edition RTM, 2019, and 2016, while Exchange Online remains unaffected. Microsoft is currently working on a permanent fix, but until it is released, they have provided temporary mitigations for users to implement. Organizations using the affected versions should take immediate action to safeguard their systems from potential exploitation.

Read Original

Google's latest Chrome update, version 148, addresses several critical vulnerabilities, including a serious use-after-free issue affecting various browser components. This type of vulnerability can allow attackers to execute arbitrary code, potentially leading to unauthorized access or data breaches. Users of Chrome should update to the latest version to ensure their browsers are secure. Keeping browsers up to date is crucial, as these vulnerabilities can be exploited if left unpatched. The update underscores the ongoing need for vigilance in cybersecurity, especially given the frequency of browser-based attacks.

Read Original

Cisco has released a patch for a newly discovered zero-day vulnerability, identified as CVE-2026-20182, which has been actively exploited in targeted attacks. This vulnerability affects Cisco’s SD-WAN products and has been linked to a sophisticated threat actor known as UAT-8616. The exploitation of this flaw marks the sixth zero-day incident involving Cisco in 2026, raising concerns about the security of their products. Companies using Cisco SD-WAN solutions should prioritize applying the latest patches to protect against potential breaches. The ongoing exploitation of this vulnerability highlights the need for vigilance in cybersecurity practices.

Read Original
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email

The Hacker News

Actively Exploited

Microsoft has announced a serious security vulnerability affecting on-premise versions of Exchange Server, identified as CVE-2026-42897. This issue, which has a CVSS score of 8.1, is classified as a spoofing vulnerability that arises from a cross-site scripting flaw. The vulnerability has been confirmed to be actively exploited by attackers, which raises significant concerns for organizations still using on-premise Exchange Servers. An anonymous researcher discovered and reported the issue, signaling the need for prompt attention from IT security teams. Organizations must take immediate action to protect their systems and data from potential exploitation.

Read Original

On the first day of Pwn2Own Berlin 2026, researchers showcased their skills by identifying 24 zero-day vulnerabilities across various technologies, earning a total of $523,000 in rewards. The entries targeted popular software, including web browsers, operating systems, AI platforms, and NVIDIA infrastructure. This event is significant as it emphasizes the ongoing security challenges faced by widely used technologies, particularly in the realm of AI. The discoveries made during this competition not only highlight the vulnerabilities that could be exploited by attackers but also serve as a wake-up call for developers and organizations to enhance their security measures. As these zero-days are revealed, it’s crucial for affected vendors to respond swiftly to mitigate potential risks to users.

Read Original
PreviousPage 19 of 63Next