Security researchers have demonstrated a method to bypass nonce-based Content Security Policy (CSP) protections using HTML injection, CSS-based nonce leakage, and browser cache manipulation.

A critical vulnerability identified as CVE-2025-47812 affects Wing FTP Server versions v7.4.3 and earlier. Wing FTP released a security update on May 14, 2025, to address this issue. Proof-of-concept exploit code is publicly available.

A newly disclosed vulnerability in the Python-based data-exfiltration utility used by the notorious Cl0p ransomware group has exposed the cybercrime operation itself to potential attack. The vulnerability is rated 8.9 (High) on the CVSS 4.0 scale.

A newly disclosed vulnerability in ModSecurity, a widely used open-source web application firewall (WAF), exposes servers to denial-of-service (DoS) attacks by exploiting a flaw in the way the software parses empty XML elements.

A critical vulnerability (CVE-2025-6561) in Hunt Electronics’ hybrid DVRs (models HBF-09KD and HBF-16NK) allows unauthenticated remote attackers to access configuration files containing plaintext administrator credentials.

A significant surge in scanning and exploitation activity has been observed targeting Progress Software’s MOVEit Transfer platform. Over 682 unique IP addresses have been identified in scanning operations.

A vulnerability in Kubernetes, tracked as CVE-2025-4563, allows compromised nodes to bypass authorization checks for dynamic resource allocation. It can lead to privilege escalation in clusters where specific configurations are enabled.

NVIDIA addressed two high-severity vulnerabilities—CVE-2025-23264 and CVE-2025-23265—in open-source Megatron-LM framework, addressing . These flaws allow attackers to inject and execute malicious code via specially crafted files.

A recent phishing campaign has compromised over 2,000 devices by impersonating the U.S. Social Security Administration (SSA). The attackers used a convincing email lure to redirect victims to a fake SSA webpage hosted on Amazon Web Services (AWS).

A widespread and highly coordinated phishing campaign is targeting U.S. citizens by impersonating state Departments of Motor Vehicles (DMVs). The campaign uses smishing tactics to steal personal and financial data through fake DMV websites.