A researcher has revealed a new attack method called 'Comment and Control' that targets AI systems like Claude Code, Gemini CLI, and GitHub Copilot Agents. This technique exploits prompt injection vulnerabilities through comments in code, allowing attackers to manipulate the AI's responses. The implications of this vulnerability are significant, as it could lead to unintended actions by the AI, potentially compromising the integrity of code generation and automation tools widely used in software development. Developers and organizations utilizing these AI tools should be aware of this risk and take necessary precautions to safeguard their systems. As AI becomes more integrated into development workflows, understanding and mitigating such vulnerabilities is crucial.
Articles tagged "Vulnerability"
Found 494 articles
A serious vulnerability has been discovered in nginx-ui, which could allow attackers to manipulate NGINX configuration files. This flaw has a near-maximum severity rating, meaning it poses a significant risk to users of the software. Attackers can exploit this weakness to restart, create, modify, or delete configuration files, potentially disrupting web services and compromising server security. This vulnerability affects anyone using nginx-ui, making it crucial for system administrators to take action. The situation is urgent as it could lead to unauthorized access and control over server configurations.
A significant cybersecurity incident has emerged involving over 30 plugins from the EssentialPlugin package for WordPress. These plugins have been compromised with malicious code, which grants unauthorized access to websites that utilize them. This breach potentially affects thousands of sites, putting user data and site integrity at risk. The incident underscores the vulnerability of widely-used plugins and the importance of maintaining updated security practices. Website administrators are urged to review their installed plugins and take immediate action to protect their sites from possible exploitation.
The National Institute of Standards and Technology (NIST) is narrowing its focus on analyzing Common Vulnerabilities and Exposures (CVE) due to the increasing number of vulnerabilities reported. Moving forward, NIST will concentrate its efforts on vulnerabilities found in critical software, systems utilized by the federal government, and those that are currently being exploited. This shift aims to streamline the analysis process and ensure that resources are allocated to the most pressing security issues. As the volume of vulnerabilities continues to rise, this change reflects a need for more targeted and efficient management of cybersecurity threats. It’s important for organizations and government entities to stay informed about these critical vulnerabilities to protect their systems effectively.
Security Affairs
CVE-2026-33032A severe vulnerability in nginx-ui, identified as CVE-2026-33032, is currently being exploited by attackers. This flaw allows unauthorized users to bypass authentication and gain complete control of Nginx servers, posing a significant risk to organizations using this web server technology. The vulnerability is linked to inadequate protection of the /mcp_message endpoint, which can be exploited without any prior authentication. With a CVSS score of 9.8, it is crucial for users to take immediate action to secure their systems. Organizations should prioritize patching their Nginx installations to mitigate this serious threat.
Infosecurity Magazine
A serious security flaw has been identified in the nginx-ui MCP, specifically an authentication bypass vulnerability tracked as CVE-2026-33032. This vulnerability has a high severity score of 9.8 on the CVSS scale and is currently being exploited in the wild, making it a pressing concern for users and organizations running affected versions. Attackers could potentially gain unauthorized access to systems using this flaw, which poses significant risks to data integrity and confidentiality. It's crucial for system administrators to take immediate action to protect their environments from these attacks. Timely updates and security patches are essential to mitigate the risks associated with this vulnerability.
The Hacker News
CVE-2026-33032A serious vulnerability, identified as CVE-2026-33032, has been discovered in nginx-ui, a management tool for Nginx servers. This flaw allows attackers to bypass authentication, potentially giving them full control of the Nginx service. Dubbed MCPwn by Pluto Security, the vulnerability has a CVSS score of 9.8, indicating its critical nature. Users of nginx-ui are at risk, as the flaw is currently being actively exploited in the wild. It's crucial for affected organizations to take immediate action to secure their systems and prevent unauthorized access.
A report detailing the state of cybersecurity threats to industrial automation systems in Q4 2025 reveals concerning trends in malware and infection vectors. Researchers identified various types of malware that are increasingly targeting these systems, affecting industries across different regions. The report emphasizes that many organizations remain vulnerable due to outdated security measures and a lack of awareness about emerging threats. This situation puts critical infrastructure at risk, potentially leading to operational disruptions and safety hazards. Companies are urged to enhance their cybersecurity protocols and invest in better defenses to protect against these sophisticated attacks.
OpenAI is enhancing its cybersecurity efforts by expanding its Trusted Access for Cyber (TAC) program, which now aims to provide thousands of verified cybersecurity professionals with prioritized access to advanced AI tools. This expansion includes the introduction of GPT-5.4-Cyber, a specialized version of their AI designed to assist in identifying and addressing vulnerabilities in critical software. The initiative focuses on empowering defenders who are responsible for protecting software systems from potential attacks. By equipping these professionals with better resources, OpenAI hopes to improve the speed and effectiveness of vulnerability management. This move is significant as it addresses the ongoing challenge of staying ahead of attackers in the cybersecurity landscape.
The Cloud Security Alliance has issued a warning about a significant change in how quickly vulnerabilities can be exploited. Researchers are particularly concerned about Anthropic’s Claude Mythos, an AI system capable of autonomously identifying thousands of zero-day vulnerabilities in popular operating systems and web browsers. It doesn't just find these flaws; it also creates working exploits without any human intervention. This rapid pace of exploit development poses a challenge for organizations that rely on traditional patch cycles, as the time to fix vulnerabilities is shrinking. Companies will need to adapt their security strategies to keep up with this evolving threat landscape.
Hackread – Cybersecurity News, Data Breaches, AI and More
A serious vulnerability identified as CVE-2026-5194 has been found in wolfSSL, affecting a vast array of devices, including Internet of Things (IoT) devices, routers, and military systems. This flaw allows attackers to forge digital identities, which poses a significant risk to the security of billions of devices globally. Users and organizations utilizing wolfSSL should promptly update to version 5.9.1 to mitigate this risk. The widespread impact of this vulnerability emphasizes the importance of regular software updates to maintain security across various platforms. Failure to address this issue could lead to unauthorized access and potential exploitation of sensitive systems.
Two serious vulnerabilities have been found in Composer, a popular package manager for PHP, which could allow attackers to execute arbitrary commands on affected systems. These flaws specifically target the Perforce VCS driver, raising concerns for developers and organizations that rely on this tool for managing PHP packages. If exploited, these vulnerabilities could lead to unauthorized access and control over systems using the affected versions. Users need to act quickly to apply the patches released to secure their environments and protect sensitive data from potential breaches. The vulnerabilities highlight the importance of maintaining updated software to mitigate risks.
RCI Hospitality, a major player in the nightclub industry, has reported a data breach due to an IDOR (Insecure Direct Object Reference) vulnerability in RCI Internet Services. This security flaw exposed sensitive contractor data, potentially affecting individuals associated with the company. The breach was disclosed in a filing with the Securities and Exchange Commission (SEC), indicating that the company is taking the matter seriously. This incident raises concerns about data security in the hospitality sector, as breaches can lead to identity theft and other malicious activities. Stakeholders will need to monitor the situation closely as RCI investigates the extent of the exposure and implements necessary safeguards.
Security Affairs
CVE-2025-0520A serious vulnerability has been discovered in ShowDoc, an online tool used by IT teams for document sharing and collaboration. This flaw, identified as CVE-2025-0520, allows attackers to execute remote code on unpatched servers, posing a significant risk to organizations that have not updated their systems. With a CVSS score of 9.4, this remote code execution vulnerability is currently being exploited in the wild, meaning that attackers are actively taking advantage of it. Companies using ShowDoc need to prioritize patching their servers to protect against potential breaches and unauthorized access to sensitive information. Failing to address this issue could lead to severe consequences for affected organizations.
A recent study has revealed that over one-third of the official partners of the FIFA World Cup 2026 are exposing the public to the risk of email fraud. This vulnerability arises mainly from the use of unsecured email practices, which can make them easy targets for phishing attacks. The findings suggest that these partners, which include various companies and organizations involved with the event, need to enhance their email security measures to protect their communications and sensitive information. The implications are significant, as successful email fraud can lead to financial losses and damage to reputations, especially for high-profile events like the World Cup. Stakeholders are urged to adopt stronger security protocols to mitigate these risks and safeguard their users.