NGINX Rift CVE-2026–42945 scores 9.2 after 18 years, enabling unauthenticated RCE or DoS via crafted HTTP requests.
Get the latest international news and world events from around the world.
New Fragnesia Linux flaw lets attackers gain root privileges
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026–46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic’s head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.
Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.
The flaw, tracked as CVE-2026–8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.
TeamPCP hackers advertise Mistral AI code repos for sale
The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data.
In a post on a hacker forum, the threat actor is asking $25,000 for a set of nearly 450 repositories.
Mistral AI is a French artificial intelligence company founded by former researchers from Google’s DeepMind and Meta, which provides open-weight large language models (LLMs), both open source and proprietary.
OpenAI confirms security breach in TanStack supply chain attack
OpenAI says two employees’ devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution.
In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software.
The company says the breach is linked to the recent “Mini Shai-Hulud” supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages.
Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026
On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days.
Today’s highlight was Orange Tsai’s attempt, who was awarded $175,000 in rewards after chaining 4 logic bugs to achieve a sandbox escape on Microsoft Edge.
Windows 11 was also hacked three times by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity, each earning $30,000 in cash rewards for demonstrating new privilege escalation zero-days.
Dell confirms its SupportAssist software causes Windows BSOD crashes
Dell confirmed that its SupportAssist software is causing blue-screen crashes on some Windows systems following a wave of user reports about random reboots affecting Dell devices since Friday.
SupportAssist is a software suite developed by Dell that comes pre-installed on most new Dell computers running Windows 10 or Windows 11.
A Dell representative told customers on the company’s official forums on Wednesday that the latest SupportAssist Remediation service update is the one triggering 0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS errors and advised them to remove the service to resolve the crashes.
