Guides, analysis, and actionable security advice for startup founders and CTOs. Stay informed about the threats that matter to your business.
Two June 2026 bugs change when you patch, not just whether: CVE-2026-11645 (Chrome V8, actively exploited) and CVE-2026-45657 (wormable Windows Kernel RCE, C...
BerriAI LiteLLM command-injection flaw (CVSS 8.8) is actively exploited and in CISA KEV. Here's why AI tooling is now supply-chain attack surface and a concr...
You're about to launch a Cursor / Lovable / v0 MVP and you're not sure whether a free security scan is enough or you actually need a pentest. Here's the honest decision framework — what each catches, what each misses, and how to tell which one your launch needs.
CVE-2026-27771 let anyone on the internet pull private container images from Gitea with zero credentials. Healthcare, aerospace, and critical infrastructure exposed. Patch to 1.26.2 now.
Iranian state-sponsored APT Nimbus Manticore is using AI-coded malware, phishing, and SEO poisoning to target aviation and software firms across the US, Europe, and Middle East.
A critical 18-year-old heap buffer overflow in NGINX's rewrite module (CVE-2026-42945, CVSS 9.2) is being actively exploited in the wild. PoC is public. Here's what every NGINX operator needs to know.
Microsoft patched a CVSS 8.8 deserialization RCE in SharePoint Server. Any authenticated Site Member can trigger it — no admin rights needed. Patch immediately.
A cross-ecosystem supply chain campaign deployed 34+ malicious packages and 384+ versions across npm, PyPI, and Crates.io to steal developer credentials and crypto wallets. Here's what you need to know.
The Lazarus Group is targeting financial and crypto firms with RemotePE, a fileless RAT that runs entirely in memory. No disk artifacts, no traditional IOCs — and standard EDR may miss it entirely.
MCP's tool-result schema carries no attestable provenance. ToolAnnotations are advisory, not security boundaries. The official fetch server pipes attacker-controlled content straight into model context. Here's the confused-deputy chain, the DNS rebinding footgun, and concrete detection rules.
The Crunchyroll breach wasn't a direct attack — it was a supply-chain pivot through a compromised Telus employee account. Here's the attack chain, the indicator categories to watch, and how to hunt for this class of threat.
The Megalodon campaign injected malicious CI/CD workflows into 5,561 repos using forged bot identities. Cloud credentials, SSH keys, and OIDC tokens were harvested at scale. Here's what happened and how to protect your pipeline.
Cisco fixed CVE-2026-20223, a maximum-severity REST API flaw in Secure Workload that lets unauthenticated attackers gain Site Admin privileges, access sensitive data, and modify configs across tenant boundaries.
Your first $1K customer's data is worth more than the legal exposure of skipping this. 17 items in 3 tiers, before launch. No four-figure consultant.
Six months of running a closet pentest lab told me commercial SOAR is broken at indie scale. AEGIS is the open-source XDR+SOAR+SIEM I wrote to fix it.
Three vulnerabilities AI-coding assistants introduce that aren't in their training data — and the 5-minute self-audit that catches them before launch.
CVE-2026-3909 and CVE-2026-3910 put 3.5 billion Chrome users at risk. This is a 2026 roundup of the Skia and V8 attack surface — what the vulnerabilities are, why browser engine bugs are hard to kill, and what defenses actually reduce exposure.
Drupal patched a maximum-severity SQL injection flaw (CVE-2026-9082) in SA-CORE-2026-004. Unauthenticated attackers can exploit PostgreSQL-backed sites for RCE. Here's what defenders need to do now.
Microsoft took down Fox Tempest, a malware-signing-as-a-service that created 1,000+ fraudulent code-signing certificates for ransomware gangs like Qilin, Akira, and INC.
The TeamPCP hacking group exfiltrated 3,800+ internal GitHub repositories after an employee installed a malicious VS Code extension, bypassing enterprise security.
A malicious update to the popular Nx Console VS Code extension targeted 2.2M+ developers, injecting a 498 KB obfuscated payload to steal cloud and CI/CD credentials.
Attackers used a stolen GitHub token to download Grafana's full codebase and demanded a ransom. Grafana refused. Here's what happened and what it means for your CI/CD pipeline.
Russian APT Turla transformed its Kazuar backdoor into a modular P2P botnet for persistent government access. Microsoft, Palo Alto, and BleepingComputer all tracked the evolution.
CVE-2026-20182 is a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN under active exploitation. CISA added it to KEV with a May 17 deadline. Here's what SD-WAN admins need to do now.
CVE-2026-42897 is a CVSS 8.1 reflected XSS zero-day in Exchange OWA actively exploited in the wild. On-prem Exchange 2016, 2019, and SE are affected. Here's what defenders need to do now.
Researchers at Cyera discovered four chainable OpenClaw vulnerabilities enabling data theft, privilege escalation, and persistence. 245,000 public instances are exposed. Here's what you need to do.
CVE-2026-42945 is a heap buffer overflow in NGINX's rewrite module hiding since 2008. CVSS 9.2, unauthenticated RCE, PoC public. Here's what defenders need to do now.
CVE-2026-44338 in PraisonAI ships auth disabled by default. Scanners hit exposed instances within 4 hours of disclosure. Here's why AI agent frameworks are the new attack surface.
Two critical Hugging Face vulnerabilities — CVE-2026-0599 in Text Generation Inference and unauthenticated RCE in LeRobot — expose AI deployment pipelines. Patch now.
Microsoft's May 2026 Patch Tuesday fixes 138 CVEs including two CVSS 9.8 RCE flaws in Windows Netlogon and DNS Client. Domain controllers are the priority target.
Google's Threat Intelligence Group confirmed the first known case of hackers using AI to develop a zero-day exploit that bypasses 2FA on a popular open-source web admin tool.
A use-after-free vulnerability in Exim's BDAT parsing (CVE-2026-45185, aka Dead.Letter) affects versions 4.97-4.99.2 with GnuTLS. Patch to 4.99.3 immediately.
The self-spreading npm worm Mini Shai-Hulud compromised 172+ packages across npm and PyPI, targeting CI/CD secrets. TeamPCP is behind the attack.
Hugging Face ecosystem under fire: CVE-2026-0599 crashes TGI servers via unbounded image fetching, while CVE-2026-25874 gives unauthenticated RCE on LeRobot via pickle deserialization. Patch now.
A typosquatted OpenAI repository reaching #1 on Hugging Face pushed malware to 244K downloads. Here's what developers need to do now.
CVE-2026-43284 and CVE-2026-43500 chain two kernel page-cache flaws for deterministic root escalation. Public PoC available. Here's what to patch.
A founder's first-person account of shipping a project management SaaS, discovering a BOLA on day 3, notifying 40 users, and what the $29 fix would have looked like before launch.
Eight security checks — with curl commands and code fixes — that every indie dev should run before launch. Auth, BOLA, CSP, CORS, rate-limiting, JWT, secrets, admin endpoints.
Real findings from 100 Lovable, Cursor, and Replit MVPs. 73 had broken object-level authorization. Here are the 3 patches every vibe-coded app needs before launch.
CISA added CVE-2026-6973 to KEV with a May 10 deadline. 850+ Ivanti EPMM instances are exposed online. Here's what defenders need to do now.
Apache patched CVE-2026-23918, a critical double-free vulnerability in HTTP/2 handling that enables denial-of-service and potential remote code execution. CVSS 8.8. Patch to 2.4.67 immediately.
The 10 most common Next.js API bugs in startup pentests: missing auth, BOLA, exposed env vars, CSRF. Code examples and fixes to ship before launch.
What a pentest is, what it costs, and the 3-phase plan indie devs use before launch. Skip the $5K consultant — start with Sable's free scan instead.
El pentesting explicado para devs: las 3 fases y cómo hacer un check antes del launch. Empieza gratis con Sable en tu terminal ahora.
50 actionable checks — auth, BOLA, secrets, headers, deps — before your Product Hunt launch. Use Sable's free scan to automate the ones that matter.
La lista de seguridad para Supabase en prod: RLS, service_role key, storage y los 15 errores más comunes. Sable los detecta en un scan pre-launch.
Microsoft confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing flaw leaking NTLM hashes via malicious LNK files. CISA set a May 12 patch deadline.
A critical cPanel & WHM auth bypass (CVSS 9.8) was exploited as a zero-day for months. 1.5M servers affected. CISA added it to KEV. Here's what you need to know.
A critical cPanel & WHM zero-day (CVSS 9.8) was exploited for months before a patch dropped. Here's the technical breakdown and what to do now.
France Titres (formerly ANTS) confirmed a cyberattack exposing 19M records including passports, national IDs, and driver's licenses. French prosecutors linked the breach to a 15-year-old hacker.
CVE-2026-34621 (CVSS 8.6) is a prototype pollution + use-after-free in Adobe Acrobat Reader's JavaScript engine. Exploited via malicious PDFs in phishing campaigns since November 28, 2025. CISA KEV April 13, 2026. Technical breakdown, IOCs, detection rules, and patch verification for the 134-day in-the-wild window.
Critical authentication bypass (CVSS 9.8) in cPanel & WHM via CRLF injection in cpsrvd. Exploited in the wild since February 23, patched April 28. Full technical breakdown, detection rules, mitigation, and post-compromise checklist for hosting providers.
From tj-actions/changed-files (CVE-2025-30066, 23,000 repos) to Trivy (hackerbot-claw, March 2026) to Bitwarden CLI (April 2026). Real cases, IOCs, the pull_request_target misconfiguration that ties them together, and detection rules CI/CD teams can deploy today.
Three documented Kubernetes privilege escalation paths from 2026: Graham Helton's nodes/proxy → cluster-wide RCE disclosure (January), CVE-2026-33105 in Azure Kubernetes Service (CVSS 10.0, April), and Kyverno's ConfigMap context bypass for multi-tenant clusters. Detection rules and RBAC patterns that prevent them.
A Broken Object Level Authorization (BOLA) flaw in Lovable's backend let any free-tier account read source code, Supabase credentials, and AI chat histories of other users' projects. Disclosed via HackerOne March 3 2026, marked duplicate, demonstrated publicly April 20. Affects projects created before November 2025. Five API calls is all it took.
A critical API authentication flaw in Itron smart meters exposed 28 million utility customer records. Attackers exfiltrated consumption data and physical addresses. Detection and mitigation guidance for utility operators.
A critical SSRF flaw in LMDeploy's vision-language module was exploited just 12 hours after disclosure. Learn how it works and what to patch.
From CVE-2024-37032 'Probllama' (Wiz, 2024 path traversal) to the Out-Of-Bounds Write in MLLAMA parsing (all versions before 0.7.0) to ZipSlip in server/model.go. Why Ollama keeps shipping RCEs at the model-load boundary, and what to do if you self-host.
Researchers disclosed a critical RCE in Anthropic's Model Context Protocol affecting 7,000+ public servers and 150M downloads. Here's the payload pattern and how AEGIS L1 fast-path blocks it in microseconds.
Booking.com confirmed unauthorized third-party access to reservation data this week. The exposure didn't come from the core platform — it came from the vendor chain. Here's what failed and how to test for it.
ADT, the largest US home security company, has confirmed a data breach after the ShinyHunters extortion group leaked records belonging to roughly 10 million customers.
CISA orders federal agencies to patch BlueHammer flaw as researchers disclose three Windows Defender zero-days being exploited in the wild.
FulcrumSec explotó una vulnerabilidad React sin parchear y robó 3.9M de registros de LexisNexis, incluyendo datos de jueces federales, fiscales del DOJ y personal de la SEC.
Google lanzó una actualización de emergencia para Chrome 146 corrigiendo CVE-2026-3909 y CVE-2026-3910 — dos zero-days en Skia y V8 con exploits activos en la vida real. 3,500 millones de usuarios en riesgo.
El grupo ransomware iraní Pay2Key vuelve después de 5 años con un modelo RaaS más agresivo, 80% de ganancias para atacantes y foco en EEUU e Israel. Todo lo que necesitas saber.
El grupo LAPSUS$ afirma haber robado 3GB de AstraZeneca: código fuente, credenciales cloud e información interna. AstraZeneca no ha confirmado. Lo que sabemos.
TeamPCP — el grupo detrás del ataque a Trivy — lanzó CanisterWorm, un gusano npm que se auto-propaga por 135 paquetes usando tokens robados y un C2 en blockchain imposible de derribar.
Un atacante exfiltró 100GB de datos de Crunchyroll en 24 horas usando acceso de un empleado de Telus. 15M+ suscriptores potencialmente afectados. Sony no ha confirmado.
Un ataque a la cadena de suministro comprometió Trivy, el scanner de seguridad open-source más usado en DevSecOps. 75 tags de GitHub secuestrados, Docker images maliciosas, worm y Kubernetes wiper.
Un hacktivist robó 93 GB de P3 Global Intel — la plataforma de tips de Crime Stoppers — exponiendo casi 4 décadas de informantes 'anónimos'. Nombres, datos, todo.
Un ataque ransomware paralizó todos los servicios de Foster City, California en marzo 2026. Qué pasó, por qué los gobiernos locales son el blanco favorito y cómo proteger tu organización.
Un ataque ransomware a Marquis, proveedor fintech de cientos de bancos en Texas, robó SSNs y datos financieros de 672,075 personas. La brecha silenciosa que duró meses.
Hackers accedieron a Navia durante 24 días (dic 2025 - ene 2026) robando SSNs y datos de salud de 2.7M personas. El Estado de Washington entre las víctimas.
Un breach por phishing comprometió a Intuitive Surgical, fabricante del robot da Vinci. Qué pasó, cómo funcionó el ataque y cómo proteger tu empresa hoy.
El grupo Interlock explotó CVE-2026-20131 (CVSS 10.0) en Cisco FMC 36 días antes del parche. Descubre si tu red está comprometida y cómo actuar ahora.
DarkSword, el exploit iOS de cadena completa activo desde noviembre 2025, roba credenciales y crypto con solo visitar una web. Actualiza a iOS 26.3.1 ahora.
ShinyHunters robó 1 petabyte de Telus Digital en marzo 2026 con credenciales GCP robadas. Qué pasó y cómo proteger tu empresa ahora.
Reading about security is good. Getting your app tested is better. Start with a Pre-Launch Check for just $29.
Get a Security Scan