Lessons from Penetration Tests on Large-Scale Agent Systems

As AI systems gain increasing autonomy and execution capability, the number of discovered security vulnerabilities continues to rise. However, many of these vulnerabilities are not fundamentally novel, but instead reflect recurring classes of weaknesses long observed in prior computing systems...

Insights into Security-Related AI-Generated Pull Requests

Recent years have experienced growing contributions of AI coding agents that assist human developers in various software engineering tasks. However, this growing AI-assisted autonomy raises questions about security and trust. In this paper, we analyze more than 33,000 AI-generated pull requests P...

PT-2026-31460

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deleti...

CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook...

The MSP Guide to Using AI-Powered Risk Management to Scale Cybersecurity

Scaling cybersecurity services as an MSP or MSSP requires technical expertise and a business model that delivers measurable value at scale. Risk-based cybersecurity is the foundation of that model. When done right, it builds client trust, increases upsell opportunities, and drives recurring...

PT-2026-23407

Name of the Vulnerable Software and Affected Versions HumHub Calendar module versions prior to 1.8.11 Description The Calendar module for HumHub allows users to create and manage events. A stored cross-site scripting XSS issue exists in the Event Types functionality of the Calendar module for...

CVE-2026-24776

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This allowed a...

CVE-2026-24776

OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting or is the backlog, in case of recurring meetings. This...

Multi-Agent End-To-End Vulnerability Management for Mitigating Recurring Vulnerabilities

Software vulnerability management has become increasingly critical as modern systems scale in size and complexity. However, existing automated approaches remain insufficient. Traditional static analysis methods struggle to precisely capture contextual dependencies, especially when vulnerabilities...

Webinar: How Smart MSSPs Using AI to Boost Margins with Half the Staff

Every managed security provider is chasing the same problem in 2026 — too many alerts, too few analysts, and clients demanding "CISO-level protection" at SMB budgets. The truth? Most MSSPs are running harder, not smarter. And it's breaking their margins. That's where the quiet revolution is...

MAL-2025-186933 Malicious code in extremophile-geochemistry-dendrochronology-ursa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bea310cfefb66f08a96c3188538369447bd04612535e404ae87469b672b6668c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-162945 Malicious code in nokire-loklok87 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 74f89617c949b607dbb75038554e2c6137d943188e70f7ccc12449287feb675f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-142992 Malicious code in got-uninstall-dotenv-safe-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49759109d1cc0acaae0d1c9cb915f880b6b52ed3d85f7b976f092eaec0eb2d96 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-105277 Malicious code in lively_caribou-appteadev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af718d1598669d34a88f13b774722c0c75f7ad4887326c04add60df7fc0e6e3d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

PT-2025-45067

Name of the Vulnerable Software and Affected Versions Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction versions prior to 2.16.5 Description The plugin is susceptible to unauthorized data modification because of a missing capability and validation...

CVE-2011-10038

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10038

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10038 Nagios XI < 2011R1.9 XSS via Recurring Downtime Script

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...

CVE-2011-10038

Nagios XI (

CVE-2011-10038 Nagios XI < 2011R1.9 XSS via Recurring Downtime Script

Nagios XI versions prior to 2011R1.9 are vulnerable to cross-site scripting XSS via the recurring downtime script of the web interface. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser...