Code Execution
Critical vm2 sandbox bug lets attackers execute code on hosts
A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. The security issue is tracked as CVE-2026-26956 and has been confirmed to impact vm2 version 3.10.4, although earlier releases may also be vulnerable. Proof-of-concept (PoC) exploit code has been published. In the security […]
Trend Micro warns of critical Apex One code execution flaws
Japanese cybersecurity software firm Trend Micro has patched two critical Apex One vulnerabilities that allow attackers to gain remote code execution (RCE) on vulnerable Windows systems. Apex One is an endpoint security platform that detects and responds to security threats, including malware, spyware, malicious tools, and vulnerabilities. The first critical Apex One security flaw patched this week […]
Ivanti warns of critical Endpoint Manager code execution flaw
American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely. Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company’s EPM software is an […]
Malicious Blender model files deliver StealC infostealing malware
A Russian-linked campaign delivers the StealC V2 information stealer malware through malicious Blender files uploaded to 3D model marketplaces like CGTrader. Blender is a powerful open-source 3D creation suite that can execute Python scripts for automation, custom user interface panels, add-ons, rendering processes, rigging tools, and pipeline integration. If the Auto Run feature is enabled, […]
W3 Total Cache WordPress plugin vulnerable to PHP command injection
A critical flaw in the W3 Total Cache (W3TC) WordPress plugin can be exploited to run PHP commands on the server by posting a comment that contains a malicious payload. The vulnerability, tracked as CVE-2025-9501, affects all versions of the W3TC plugin prior to 2.8.13 and is described as an unauthenticated command injection. W3TC is installed on more than […]
Steam and Microsoft warn of Unity flaw exposing gamers to attacks
A code execution vulnerability in the Unity game engine could be exploited to achieve code execution on Android and privilege escalation on Windows. Unity is a cross-platform game engine and development platform that provides rendering, physics, animation, and scripting tools for developers to create titles for Windows, macOS, Android, iOS, consoles, and the web. A […]
Cisco warns of IOS zero-day vulnerability exploited in attacks
Cisco has released security updates to address a high-severity zero-day vulnerability in Cisco IOS and IOS XE Software that is currently being exploited in attacks. Tracked as CVE-2025-20352, the flaw is due to a stack-based buffer overflow weakness found in the Simple Network Management Protocol (SNMP) subsystem of vulnerable IOS and IOS XE software, impacting […]
CISA warns of actively exploited Git code execution flaw
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of hackers exploiting an arbitrary code execution flaw in the Git distributed version control system. The agency has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and has set the patch deadline for federal agencies to September 15th. Git version control system allows software development […]
Malicious NPM package uses Unicode steganography to evade detection
A malicious package in the Node Package Manager index uses invisible Unicode characters to hide malicious code and Google Calendar links to host the URL for the command-and-control location. The package, named os-info-checker-es6, appears as an information utility and has been downloaded more than 1,000 times since the beginning of the month. Researchers at Veracode, a code security assessment […]
Facebook discloses FreeType 2 flaw exploited in attacks
Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render […]