THREAT OPS › Threat News
Threat Intelligence News
2663 reports from 110+ open cyber-threat-intelligence sources — APT activity, malware, vulnerabilities and campaigns, newest first.
- [NVD] CVE-2025-68616 (HIGH 7.5) — WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint's `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` servicnvd · 2026-01-19
- [NVD] CVE-2026-23745 (MEDIUM 6.1) — node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading tnvd · 2026-01-16
- [NVD] CVE-2026-23490 (HIGH 7.5) — pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.2, a Denial-of-Service issue has been found that leads to memory exhaustion from malformed RELATIVE-OID with excessive continuation octets. This vulnerability is fixed in 0.6.2.nvd · 2026-01-16
- [NVD] CVE-2021-47839 (HIGH 7.2) — Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts into markdown files. Attackers can upload crafted markdown files with embedded JavaScript payloads that execute when the file is opened, potentially enabling remnvd · 2026-01-16
- New Infostealer Campaign Targets Users via Spoofed Software Installersvirustotal_blog · 2026-01-16
- [NVD] CVE-2026-22775 (HIGH 7.5) — Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systemnvd · 2026-01-15
- [NVD] CVE-2026-22774 (HIGH 7.5) — Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systemnvd · 2026-01-15
- [NVD] CVE-2026-0897 (HIGH 7.5) — Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a craftenvd · 2026-01-15
- Minting Next.js Authentication Cookiesembracethered · 2026-01-15
- [NVD] CVE-2026-22859 (CRITICAL 9.1) — FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds readnvd · 2026-01-14
- [NVD] CVE-2026-22858 (CRITICAL 9.1) — FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, nvd · 2026-01-14
- [NVD] CVE-2026-22855 (CRITICAL 9.1) — FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1.nvd · 2026-01-14
- [NVD] CVE-2026-22853 (CRITICAL 9.8) — FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Arraynvd · 2026-01-14
- A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?project_zero · 2026-01-14
- A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Waveproject_zero · 2026-01-14
- A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolbyproject_zero · 2026-01-14
- [NVD] CVE-2026-0532 (HIGH 8.6) — External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attackernvd · 2026-01-14
- [NVD] CVE-2026-0891 (HIGH 8.1) — Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilitnvd · 2026-01-13
- [NVD] CVE-2026-0882 (HIGH 8.8) — Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.nvd · 2026-01-13
- [NVD] CVE-2026-0881 (CRITICAL 10.0) — Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.nvd · 2026-01-13
- [NVD] CVE-2026-0880 (HIGH 8.8) — Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.nvd · 2026-01-13
- [NVD] CVE-2026-0879 (CRITICAL 9.8) — Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.nvd · 2026-01-13
- [NVD] CVE-2026-0878 (HIGH 8.0) — Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.nvd · 2026-01-13
- [NVD] CVE-2026-0877 (HIGH 8.1) — Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.nvd · 2026-01-13
- [NVD] CVE-2025-15514 (HIGH 7.5) — Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. When processing base64-encoded image data via the /api/chat endpoint, the application fails to validate that the decoded datanvd · 2026-01-12
- [NVD] CVE-2026-22771 (HIGH 8.8) — Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway. Prior to 1.5.7 and 1.6.2, EnvoyExtensionPolicy Lua scripts executed by Envoy proxy can be used to leak the proxy's credentials. These credentials can then be nvd · 2026-01-12
- Filtering Noise in (Cyber)Spacegreynoise_blog · 2026-01-12
- [NVD] CVE-2025-68493 (HIGH 8.1) — Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue.nvd · 2026-01-11
- [NVD] CVE-2026-22029 (HIGH 8.0) — React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can resnvd · 2026-01-10
- [NVD] CVE-2026-21884 (HIGH 8.2) — React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering whnvd · 2026-01-10
- [NVD] CVE-2025-61686 (CRITICAL 9.1) — React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno innvd · 2026-01-10
- [NVD] CVE-2025-59057 (HIGH 7.6) — React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrnvd · 2026-01-10
- [NVD] CVE-2025-9222 (HIGH 8.7) — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.nvd · 2026-01-09
- [NVD] CVE-2025-13772 (HIGH 7.1) — GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace idennvd · 2026-01-09
- [NVD] CVE-2025-13761 (HIGH 8.0) — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an unauthenticated user to execute arbitrary code in the context of an authenticated user's browser by convincing the legitimate user to nvd · 2026-01-09
- [NVD] CVE-2025-70974 (CRITICAL 10.0) — Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection nvd · 2026-01-09
- [NVD] CVE-2025-65518 (HIGH 7.5) — Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendnvd · 2026-01-08
- [NVD] CVE-2025-50334 (HIGH 7.5) — An issue in Technitium DNS Server v.13.5 allows a remote attacker to cause a denial of service via the rate-limiting componentnvd · 2026-01-08
- [NVD] CVE-2026-0719 (HIGH 8.6) — A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication. When processing extremely long passwords, an internal size calculation can overflow due to improper use of signed integers. This nvd · 2026-01-08
- Threat Actors Actively Targeting LLMsgreynoise_blog · 2026-01-08
- The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacksgreynoise_blog · 2026-01-08
- [NVD] CVE-2026-21441 (HIGH 7.5) — urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression bnvd · 2026-01-07
- [NVD] CVE-2025-69264 (HIGH 8.8) — pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts vianvd · 2026-01-07
- [NVD] CVE-2025-69263 (HIGH 7.5) — pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who pnvd · 2026-01-07
- [NVD] CVE-2026-22184 (HIGH 7.8) — zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user exenvd · 2026-01-07
- [NVD] CVE-2025-12543 (CRITICAL 9.6) — A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are nvd · 2026-01-07
- Introducing HUNTER Tuning: a New Tool for Driving Behavioral Threat Hunt Detectionsintel471 · 2026-01-07
- Top 10 web hacking techniques of 2025: call for nominationsportswigger_research · 2026-01-06
- [NVD] CVE-2025-69223 (HIGH 7.5) — AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a zip bomb to be used to execute a DoS against the AIOHTTP server. An attacker may be able to send a compressed request that when decompressed by AIOHTTP could exhaust nvd · 2026-01-05
- Agentic ProbLLMs: Exploiting AI Computer-Use And Coding Agents (39C3 Video + Slides)embracethered · 2025-12-31
- Merry Christmas Day! Have a MongoDB security incident.doublepulsar · 2025-12-26
- 2025-042: Critical Vulnerability in Cisco Secure Email and Web Managercert_eu · 2025-12-18
- Cat’s Got Your Files: Lynx Ransomwaredfirreport · 2025-12-17
- Coordinated Credential-Based Campaign Targets Cisco and Palo Alto Networks VPN Gatewaysgreynoise_blog · 2025-12-17
- There's Payloads, And Then There's pAIloads: A Look At Selected Opportunistic (And Possibly AI-"Enhanced") React2Shell Probes and Attacksgreynoise_blog · 2025-12-17
- Battling check fraud in the U.S.intel471 · 2025-12-16
- Welcome to the new Project Zero Blogproject_zero · 2025-12-16
- Gootloader Malware Updateintel471 · 2025-12-11
- HTTPS certificate industry phasing out less secure domain validation methodsgoogle_security · 2025-12-10
- Shai-Hulud Worm 2.0intel471 · 2025-12-10
- The Fragile Lock: Novel Bypasses For SAML Authenticationportswigger_research · 2025-12-10
- Introducing Saved Searches in Google Threat Intelligence (GTI) and VirusTotal (VT): Enhance Collaboration and Efficiencyvirustotal_blog · 2025-12-10
- Further Hardening Android GPUsgoogle_security · 2025-12-09
- Architecting Security for Agentic Capabilities in Chromegoogle_security · 2025-12-08
- [Breach] Dragonica Lunaris — 126,293 accounts exposedhibp_breaches · 2025-12-06
- Cybersecurity industry overreacts to React vulnerability, starts panic, burns own house down againdoublepulsar · 2025-12-05
- The Normalization of Deviance in AIembracethered · 2025-12-05
- CVE-2025-55182 (React2Shell) Opportunistic Exploitation In The Wild: What The GreyNoise Observation Grid Is Seeing So Fargreynoise_blog · 2025-12-05
- New FvncBot Android banking trojan targets Polandintel471 · 2025-12-04
- Dangerous Invitations: Russian Threat Actor Spoofs European Security Events in Targeted Phishing Attacksvolexity · 2025-12-04
- 2025-041: Critical Security Vulnerability in React Server Componentscert_eu · 2025-12-04
- A Hidden Pattern Within Months of Credential-Based Attacks Against Palo Alto GlobalProtectgreynoise_blog · 2025-12-04
- Android expands pilot for in-call scam protection for financial appsgoogle_security · 2025-12-03
- Small numbers of Notepad++ users reporting security woesdoublepulsar · 2025-12-02
- How GitHub’s agentic security principles make our AI agents as secure as possiblegithub_security_lab · 2025-11-25
- Antigravity Grounded! Security Vulnerabilities in Google's Latest IDEembracethered · 2025-11-25
- White Paper Preview: Black "Fraud Day” and Beyond — The Key Cyber Threats Facing the Retail Sector this Holiday Seasonintel471 · 2025-11-25
- Your IP Address Might Be Someone Else's Problem (And Here's How to Find Out)greynoise_blog · 2025-11-25
- What organisations can learn from the record breaking fine over Capita’s ransomware incidentdoublepulsar · 2025-11-20
- Threat hunting case study: Detecting IAB activityintel471 · 2025-11-20
- Using deception to extract cyber threat intelligenceintel471 · 2025-11-20
- Android Quick Share Support for AirDrop: A Secure Approach to Cross-Platform File Sharinggoogle_security · 2025-11-20
- Lynx Ransomwareintel471 · 2025-11-19
- Palo Alto Scanning Surges 40X in 24 Hours, Marking 90-Day Highgreynoise_blog · 2025-11-19
- FortiWeb CVE‑2025‑64446: What We’re Seeing in the Wildgreynoise_blog · 2025-11-19
- Introducing Query-Based Blocklists: Fully Configurable, Real-Time Threat Blocking in the GreyNoise Platformgreynoise_blog · 2025-11-19
- YAMAGoya: A Real-time Client Monitoring Tool Using Sigma and YARA Rulesjpcert_blog · 2025-11-18
- When Bulletproof Hosting Proves Bulletproof: The Stark Industries Shell Gamegreynoise_blog · 2025-11-17
- Rust in Android: move fast and fix thingsgoogle_security · 2025-11-13
- Qilin Ransomware Groupintel471 · 2025-11-12
- ClickFix: Tricking users into installing infostealersintel471 · 2025-11-11
- Cybercrime Takedowns: Trust, Partnerships and Focusintel471 · 2025-11-11
- Introducing HTTP Anomaly Rankportswigger_research · 2025-11-11
- VTPRACTITIONERS{ACRONIS}: Tracking FileFix, Shadow Vector, and SideWindervirustotal_blog · 2025-11-10
- Reversing at Scale: AI-Powered Malware Detection for Apple’s Binariesvirustotal_blog · 2025-11-06
- Update on Attacks by Threat Group APT-C-60jpcert_blog · 2025-11-05
- How card fraud is powered by underground card checkersintel471 · 2025-11-05
- What GreyNoise Learned from Deploying MCP Honeypotsgreynoise_blog · 2025-11-05
- PHP Cryptomining Campaign: October/November 2025greynoise_blog · 2025-11-04
- CyberSlop — meet the new threat actor, MIT and Safe Securitydoublepulsar · 2025-11-03