Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices

Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence...

CVE-2026-49287 Statamic CMS vulnerable to unsafe method invocation via collection sorting allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to 5.73.23 and 6.20.0, the fix for CVE-2026-41175 was incomplete. It addressed the issue in the query builder, but the same protection was not applied to in-memory collection sorting. Manipulating sort parameters could...

CVE-2026-11846

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has an Arbitrary File Deletion vulnerability, allowing authenticated remote attackers to exploit this vulnerability to delete arbitrary system files or directories, resulting in data destruction or service disruption...

MAL-2026-5303 Malicious code in rlask (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 baacd735e23c83962845507427fa53c89bdc2e8e0456dbbce6f00a91bf4fe002 Typosquatting package published from a compromised account with an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed usi...

PT-2026-42511

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, ...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: ext4: Added idatasem protection in ext4destroyInlinedatanolock Fixed a race condition between inline data destruction and block mapping. The function ext4destroyInlinedatanolock changes the inode data layout by clearing...

CVE-2026-31215

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /indexname/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied pathorurl parameter...

CVE-2026-31215

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /indexname/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied pathorurl parameter...

Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak

American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities. In an update shared...

PT-2026-40054

Name of the Vulnerable Software and Affected Versions nexent version 1.7.5.2 Description The backend service contains an unauthorized arbitrary file deletion issue within its ElasticSearch service interface. The 'DELETE /index name/documents' endpoint lacks proper authentication and authorization...

CVE-2026-31215

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface. The DELETE /indexname/documents endpoint lacks proper authentication and authorization controls and does not validate the user-supplied pathorurl parameter...

GHSA-9G2Q-W3W2-VF7Q Kimai has Missing Voter Check that Allows Cross-Team Timesheet Manipulation

Summary Any ROLETEAMLEAD user can enumerate, read, modify, and permanently delete timesheets belonging to any other user in the system — regardless of team membership. This enables data destruction deleted billable hours, data tampering forged timesheet durations, and full authorization bypass on...

Paying Ransom Won’t Help as VECT 2.0 Ransomware Destroys Data Irreversibly

VECT 2.0 ransomware contains fatal flaws that permanently destroy files, making recovery impossible and rendering ransom payments useless for victims worldwide...

VECT 2.0 Ransomware Irreversibly Destroys Files Over 131KB on Windows, Linux, ESXi

Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible even for the threat actors. The fact that VECT's...

CVE-2026-41175 Statamic: Unsafe method invocation via query value resolution allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007614)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007614 advisory. In the Linux kernel, the following vulnerability has been resolved: ext4: add idatasem protection in ext4destroyinlinedatanolock Fix a race between inline data...

Flowise: Cypher Injection in GraphCypherQAChain

Summary The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deletio...

GHSA-564F-WX8X-878H Vikunja read-only users can delete project background images via broken object-level authorization

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

Vikunja read-only users can delete project background images via broken object-level authorization

Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...

IBM DB2 Recovery Expert 安全漏洞

IBM DB2 Recovery Expert is a database recovery tool developed by IBM. Version 5.5 IF 2 of IBM Db2 Recovery Expert contains a security vulnerability. This vulnerability stems from an insecure mechanism used to verify data integrity during transmission, which could allow attackers to modify or...