Security & DevSecOps
AppSec, supply-chain, OAuth/JWT, secrets, vulnerabilities and hardening.
In this topic
12 postsGitHub ships innersource security advisories for enterprises
GitHub Advanced Security now lets enterprises publish internal security advisories, visible only within the org's repositories rather than publicly.
AWS Certificate Manager adds ACME for TLS automation
AWS Certificate Manager now supports the ACME protocol, letting you automate issuance and renewal of public TLS certificates with standard, widely adopted tooling.
Bad Epoll: Linux kernel UAF lets any user become root
Bad Epoll (CVE-2026-46242) is a use-after-free in the Linux kernel epoll that lets an unprivileged process gain root; it affects kernels v6.4+ and Android, and a patch is out.
Scattered Spider suspect extradited to the US
DOJ: Peter Stokes (19, dual US-Estonian citizen), alleged Scattered Spider member, was arrested in Finland and extradited to the US on conspiracy, computer intrusion and fraud charges.
CISA: SharePoint RCE (CVE-2026-45659) actively exploited, patch by July 4
CISA added CVE-2026-45659 — a deserialization flaw in Microsoft SharePoint Server that enables remote code execution — to its KEV catalog after confirmed exploitation. U.S. federal agencies must remediate by July 4, 2026; anyone running on-prem SharePoint should patch now per Microsoft's guidance.
Security & DevSecOpsDuneSlide: Two Critical RCE Flaws in Cursor IDE
Cato AI Labs disclosed DuneSlide — two critical RCE flaws (CVSS 9.8, CVE-2026-50548/50549) in Cursor IDE. Zero-click prompt injection writes arbitrary files, escapes the sandbox and takes over the dev machine. Fixed in Cursor 3.0; all earlier versions affected.
Seven FatFs bugs put millions of embedded devices at risk — mostly unpatched
runZero disclosed seven CVEs in FatFs — the FAT/exFAT filesystem driver embedded across ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot and more. The worst, CVE-2026-6682 (CVSS 7.6), is an integer overflow during FAT32 mount that forges file-size metadata and can lead to memory corruption and code execution. Only one of the seven is fixed upstream (R0.16); with the maintainer unresponsive, most remain open.
Adobe patches 11 ColdFusion flaws, six rated CVSS 10.0
Bulletin APSB26-68 fixes 11 flaws in ColdFusion 2025/2023, including six unauthenticated RCEs rated CVSS 10.0; Adobe marks it Priority 1 — update immediately.
817 cybersecurity skills for AI agents
Anthropic-Cybersecurity-Skills bundles 817 structured cybersecurity skills for AI agents, mapped to 6 frameworks including MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS and D3FEND.
SimpleX Chat: messaging with no user identifiers
SimpleX Chat claims to be the first messaging network that operates without any user identifiers, prioritizing privacy and metadata resistance; trending this week.
CISA: PTC Windchill RCE flaw (CVE-2026-12569) under active attack
CISA added a critical RCE in PTC Windchill PDMLink and FlexPLM (CVE-2026-12569, CVSS 9.3) to its KEV catalog on June 26 over evidence of active exploitation. The bug stems from deserialization of untrusted data; attackers are deploying JSP web shells. CISA set a June 28 federal patch deadline.
CISA warns Splunk Enterprise flaw CVE-2026-20253 actively exploited
CISA ordered U.S. federal agencies to patch the critical Splunk Enterprise flaw CVE-2026-20253, now exploited in the wild. It lets unauthenticated attackers create or truncate files via an unauthenticated PostgreSQL sidecar endpoint, enabling RCE.