HN · BleepingComputer · Krebs · Dark Reading · SANS · THN Intel · Unit 42 · Security.com
📰 Cybersecurity News Headlines
Top stories from leading cybersecurity publications as of June 30, 2026.
-
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
— The Hacker News
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The v… -
ISC Stormcast For Tuesday, June 30th, 2026 https://isc.sans.edu/podcastdetail/9988, (Tue, Jun 30th)
— SANS ISC
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. -
'Djinn' Stealer Targets Cloud, AI Credentials
— Dark Reading
The infostealer was delivered via CVE-2026-48558, a critical authentication bypass vulnerability in SimpleHelp, targeting credentials linkin… -
Vulnerabilities Expose Private Data in Indian Government Systems
— Dark Reading
One critical vulnerability, among many discovered by a researcher, could have allowed anyone to walk in and take over a national government … -
Nissan discloses employee data breach linked to Oracle zero-day attacks
— Bleeping Computer
Nissan is warning that it suffered a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft v… -
NAIC says public data stolen in ShinyHunters' PeopleSoft breach
— Bleeping Computer
The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdate… -
Can Clothes Make You Invisible to Facial Recognition?
— Dark Reading
Does life feel Orwellian sometimes? One researcher has a solution for you: graphic tees that confuse the neural networks in surveillance cam… -
Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input
— The Hacker News
Microsoft has found a malicious Chrome extension that posed as the AI search engine Perplexity and quietly logged what people searched for. … -
WhatsApp rolls out usernames to help users hide their phone number
— Bleeping Computer
WhatsApp is finally allowing users to reserve usernames, a privacy feature that lets them hide their phone numbers from people not in their … -
WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private
— The Hacker News
WhatsApp on Monday officially announced the start of global reservations of usernames with an aim to protect the privacy of more than three … -
Adding some Automation to the favicon.ico method of Host Recon, (Mon, Jun 29th)
— SANS ISC
I'm in the throes of target host recon for another pentest, and thought I'd share some workflow / auto… -
ISC Stormcast For Monday, June 29th, 2026 https://isc.sans.edu/podcastdetail/9986, (Mon, Jun 29th)
— SANS ISC
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
🪲 NVD — Last 20 Scored Vulnerabilities
Latest scored CVEs from the National Vulnerability Database (7409 in last 30 days).
Critical: 2 · High: 9 · Medium: 9 · Low: 0. View full dashboard →
-
CVE-2026-8944
— CVSS 4.3 (MEDIUM)
The Plugin for Google Analytics by IO technologies plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the Googl⦠-
CVE-2026-12560
— CVSS 4.4 (MEDIUM)
The Editorial Rating – Product Review & Rating System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'Link URL' Field in all versions up to, and including, 4.0.5 due to insufficient input sanitiz⦠-
CVE-2026-12349
— CVSS 5.3 (MEDIUM)
The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on ⦠-
CVE-2026-12073
— CVSS 9.8 (CRITICAL)
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not valid⦠-
CVE-2026-11367
— CVSS 6.5 (MEDIUM)
The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticate⦠-
CVE-2026-14160
— CVSS 5.9 (MEDIUM)
Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions.This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.
-
CVE-2026-12114
— CVSS 4.4 (MEDIUM)
The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitizat⦠-
CVE-2026-58302
— CVSS 8.4 (HIGH)
rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of ⦠-
CVE-2026-12243
— CVSS 7.5 (HIGH)
NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account fo⦠-
CVE-2026-8023
— CVSS 7.5 (HIGH)
Zephyr's HTTP server (subsys/net/lib/http) provides a static-filesystem resource type (HTTP_RESOURCE_TYPE_STATIC_FS, available when CONFIG_FILE_SYSTEM is enabled) that serves files from a configured root directory. Befor⦠-
CVE-2026-7656
— CVSS 8.1 (HIGH)
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code ch⦠-
CVE-2026-10648
— CVSS 6.2 (MEDIUM)
mcumgr_serial_process_frag() in subsys/mgmt/mcumgr/transport/src/serial_util.c calls net_buf_reset() on the result of smp_packet_alloc() before checking it for NULL. smp_packet_alloc() uses net_buf_alloc(K_NO_WAIT) again⦠-
CVE-2026-57997
— CVSS 4.8 (MEDIUM)
Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possess⦠-
CVE-2026-34592
— CVSS 7.7 (HIGH)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, Coolify server and project lookups are not scoped to the current team, allowing any authenticat⦠-
CVE-2026-10647
— CVSS 5.3 (MEDIUM)
The USB CDC-NCM device class (subsys/usb/device_next/class/usbd_cdc_ncm.c) ignores the return value of usbd_ep_enqueue() in its ethernet transmit callback cdc_ncm_send(). When the enqueue fails, the function still calls ⦠-
CVE-2026-41896
— CVSS 7.5 (HIGH)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, the HMAC key is the application's manual_webhook_secret_github field, which is used by Coolify'⦠-
CVE-2026-34597
— CVSS 8.8 (HIGH)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution (RCE) vulnerability was discovered in Cooli⦠-
CVE-2026-34594
— CVSS 8.8 (HIGH)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, an authenticated command injection vulnerability in the Destination Network Management function⦠-
CVE-2026-57919
— CVSS 7.8 (HIGH)
PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\.pipePBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileg⦠-
CVE-2026-57498
— CVSS 9.6 (CRITICAL)
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, Coolify's API controllers consistently validate server ownership with Server::whereTeamId($teamâ¦
Source: NVD CVE API 2.0
Generated by CryptXNet.ai Threat Intelligence Platform · June 30, 2026 · Sources: The Hacker News, Bleeping Computer, Krebs on Security, Dark Reading, SANS ISC, THN Threat Intel, Unit 42, Security.com
Leave a Comment