Critical vm2 sandbox bug lets attackers execute code on hosts
…Proof-of-concept (PoC) exploit code has been published. In the security advisory, the maintainer says that the issue only impacts environments with Node.js 25 (confirmed on Node.js 25.6…
Search
All sources
bleepingcomputer.com
29
theregister.com
18
theverge.com
9
tomshardware.com
7
pcworld.com
7
arstechnica.com
5
github.blog
5
hothardware.com
4
notebookcheck.net
4
extremetech.com
3
androidauthority.com
3
neowin.net
3
Videos
More videosTop stories
Attack of the killer script kiddies
…Mythos represents a step up at writing exploits, but current models are capable, too. Security researchers are already using more widely available models to report vulnerabilities to vendors before they’re exploited…
Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026
…40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), Compass Security and maitai of Doyensec hacking OpenAI's Codex coding agent (each earning $40,000), haehae dropping…
Critical Windows Netlogon RCE flaw now exploited in attacks
…On Friday, Belgium's national cybersecurity authority (CCB) warned that attackers are now actively exploiting the CVE-2026-41089 security flaw in the wild and urged admins to immediately patch vulnerable servers…
Discussions and forums
Ask HN: Are advances in AI going to push Linux to a micro-kernel?
This is something that has been bouncing around my head for the past couple weeks with the flood of security related news around Mythos and the number of 0days being found.Microkernels, unikernals, hardware-enforced capa…
4
9
Tell HN: Compliance is not equal to Security
For over a decade, I’ve been doing bug bounty, security audits, and security consulting. And if there’s one thing I’ve seen repeatedly, it’s this:Most startups call a security engineer or hire a security agency only when…
1
1
The compression of the exploit timeline: Why n-day gaps and 90-day embargoes are failing in practice.
The traditional vulnerability disclosure timeline relies on a fundamental assumption: exploit development and vulnerability discovery take time. Over the last 12 months the integration of LLMs into offensive tooling has …
Show HN: HoneyLabs – Public honeypot threat Intel feed and MCP server
I've been running a small fleet of honeypots for about a year. They get hit by a mix of research scanners (Censys, Shadowserver, etc.), old worms, and a bump of CVE probes the day a new Nuclei template ships. The data wa…
4
2
Linux bitten by second severe vulnerability in as many weeks
…Hackers can also gain root as long as they have access to a separate exploit that gives a toehold into a machine. Exploit code was leaked online three days ago and works…
Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life' — expert claims action is vindictive and promises further retaliation
…In this day and age, when AI-powered security research has arguably made the standard 90-day disclosure-to-patch window completely obsolete, and both time-until-exploit and unused exploits are…
CISA flags actively exploited ‘Copy Fail’ Linux kernel flaw enabling root takeover across major distros — unpatched systems may remain vulnerable to attack
…Cybersecurity and Infrastructure Security Agency (CISA) added a newly disclosed Linux vulnerability, dubbed “Copy Fail,” to its Known Exploited Vulnerabilities catalog on May 1st, warning that the flaw, tracked as CVE-2026…
Microsoft patches several zero-day vulnerabilities with emergency updates
…They appear to be doing just that, as Microsoft reports that elevation-of-privilege vulnerability CVE-2026-41091 has publicly known exploit code. Exploiting this security vulnerability grants the attacker system privileges…
Google publishes exploit code threatening millions of Chromium users
Google on Wednesday published exploit code for an unfixed vulnerability in its Chromium browser codebase that threatens millions of people using Chrome, Microsoft Edge, and virtually all other Chromium-based browsers. The…
Microsoft warns of Exchange zero-day flaw exploited in attacks
…Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. Microsoft describes this security flaw (CVE-2026…