Every Windows machine on your network does thousands of DNS lookups a day.
UAT-8616 broke into Cisco SD-WAN controllers earlier this year through CVE-2026-20127. Cisco patched it.
On May 7, Vercel dropped a coordinated security release for Next.js addressing thirteen advisories in one batch.
Microsoft's May Patch Tuesday shipped without a single zero-day — the first clean month since June 2024. Press coverage was almost celebratory.
Georgia Tech's Vibe Security Radar project has been quietly counting since May 2025.
Microsoft dropped a research post on May 7 that should make every team building AI agents stop and audit their tool-calling code tonight.
A 732-byte Python script. Three syscalls.
Apache Polaris mints short-lived, scoped cloud credentials so your Spark and Trino jobs can read Iceberg tables without holding permanent keys.
Sometimes the most devastating bugs are the simplest.
Every few months, a CVSS 10.0 drops and security Twitter loses its collective mind.
Wiz dropped CVE-2026-3854 on April 28 and the headline sounds made up: any authenticated GitHub user could get remote code execution on the backend with...
Somewhere around 3 AM UTC on April 22, an attacker fed a chat completion request to an LMDeploy server.
Users started filing bug reports on April 14 about broken sessions and garbled cookies in their ASP.NET Core 10 apps.
Pluto Security calls it MCPwn, which is about as on-the-nose as vulnerability names get.
Your VPN concentrator is supposed to be the wall between your internal network and the internet.
Cisco published an advisory on April 15 for CVE-2026-20184: a CVSS 9.
Most Python developers haven't looked twice at the gzip module since they first imported it. It compresses, it decompresses, it ships with the language.
Most vulnerability disclosures follow a predictable rhythm.
Everyone noticed when Axios got backdoored on March 31st.