Windows Zero-Day Lets Low-Privilege Accounts Hijack Admins
A researcher dropped working exploit code the same day Microsoft pushed its largest-ever Patch Tuesday, targeting the Windows User Profile Service.
The Revision stories tagged vulnerability — 21 stories on the wire, decoded into one clear voice.
A researcher dropped working exploit code the same day Microsoft pushed its largest-ever Patch Tuesday, targeting the Windows User Profile Service.
A researcher claims NAT Slipstreaming v2.0 can expose any TCP or UDP port to remote attackers, but the writeup offers few verifiable details.
Tailscale's bulletin TS-2026-009 describes an argument-handling flaw in its SSH feature that could be used to reach root on connected systems.
Three SharePoint Server vulnerabilities are being actively exploited for remote code execution and credential theft, with two more flagged as high-risk.
A security research firm says a stack use-after-free bug called GhostLock hides in every Linux distribution, but its age claim doesn't hold up.
Microsoft's fix for a remote-code-execution zero-day in its Malware Protection Engine may cause Windows machines to consume all available disk space.
A CVSS 9.9 file-write bug in OpenPLC v3's web UI can be escalated into full native code execution — and the only fix is upgrading to v4.
A patched high-severity bug in Amazon Q Developer allowed a malicious repository's config file to silently run commands and exfiltrate AWS credentials.
A missing authorization check in FactoryTalk Analytics PavilionX versions before 7.01 lets attackers manage users and roles without credentials.
A researcher found a critical-severity AMD vulnerability worth $10,000 under program terms — AMD responded by rewriting those terms retroactively.
Google notified more than 100 organizations with exposed Oracle servers after a cybercrime gang quietly launched a mass-exploitation campaign.
CVE-2026-10520 carries a perfect CVSS score, a public working exploit, and a CISA known-exploited designation, leaving little room to delay patching.
A credential baked into Yarbo's app binary unlocked real-time telemetry and remote command access for every robot in the global fleet.
Hours after June Patch Tuesday closed a record 200 bugs, Chaotic Eclipse published RoguePlanet, a privilege-escalation exploit for fully patched Windows machines.
AI-assisted vulnerability discovery gets the credit for a June update that addressed more than 200 flaws, an all-time Patch Tuesday record.
Microsoft patched two zero-days disclosed by a researcher called Nightmare Eclipse, following what appears to have been a prolonged and contentious dispute.
A logic inversion bug caused by a single wrong character was found in the Linux kernel, which runs most of the world's servers and devices.
A criminal actor used a frontier AI model to find a 2FA bypass, build an exploit, and deploy it before any defender knew the flaw existed.
A heap-based buffer overflow in MACH HiDraw's XML parser could let an authenticated local attacker crash or compromise industrial control systems.
An unauthenticated attacker with network access can permanently lock legitimate users out of the OPC-UA server on unpatched B&R PPT30 devices.
A default-on compatibility mode in ABB's Busch-Welcome door actuators bypasses authentication, and the only fix is a manual toggle-and-reboot at each site.