Researchers have developed a new laser-based method that can rotate microscopic samples in all three spatial directions without touching them.
Get the latest international news and world events from around the world.
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
According to Rapid7, which discovered CVE-2026–20182, the shortcoming has its echoes in CVE-2026–20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023.
“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026–20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said. “The new vulnerability is not a patch bypass of CVE-2026–20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”
That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026–20182 to become an authenticated peer of the target appliance and carry out privileged operations.
New Fragnesia Linux flaw lets attackers gain root privileges
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026–46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic’s head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.
Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.
The flaw, tracked as CVE-2026–8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.
TeamPCP hackers advertise Mistral AI code repos for sale
The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data.
In a post on a hacker forum, the threat actor is asking $25,000 for a set of nearly 450 repositories.
Mistral AI is a French artificial intelligence company founded by former researchers from Google’s DeepMind and Meta, which provides open-weight large language models (LLMs), both open source and proprietary.