This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot.
Category: security
Gene Therapy for Parkinson’s Disease Associated with GBA1 Mutations
Abeliovich et al. make a compelling case for the promise of using gene therapy to treat Parkinson’s disease (PD) patients who possess mutations in the GBA1 gene. People interested in the clinical-translational side of biomedicine should definitely check this out!
This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot.
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
According to Rapid7, which discovered CVE-2026–20182, the shortcoming has its echoes in CVE-2026–20127 (CVSS score: 10.0), another critical authentication bypass impacting the same component. The latter is said to have been exploited by a threat actor called UAT-8616 since at least 2023.
“This new authentication bypass vulnerability affects the ‘vdaemon’ service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026–20127,” Rapid7 researchers Jonah Burgess and Stephen Fewer said. “The new vulnerability is not a patch bypass of CVE-2026–20127. It is a different issue located in a similar part of the ‘vdaemon’ networking stack.”
That said, the end result is the same: a remote unauthenticated attacker can abuse CVE-2026–20182 to become an authenticated peer of the target appliance and carry out privileged operations.
New Fragnesia Linux flaw lets attackers gain root privileges
Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability that allows attackers to run malicious code as root.
Known as Fragnasia and tracked as CVE-2026–46300, this security flaw stems from a logic bug in the Linux XFRM ESP-in-TCP subsystem that can enable unprivileged local attackers to gain root privileges by writing arbitrary bytes to the kernel page cache of read-only files.
Zellic’s head of assurance, William Bowling, who discovered this new universal local privilege escalation flaw, also shared a proof-of-concept (PoC) exploit that achieves a memory-write primitive in the kernel that is used to corrupt the page cache memory of the /usr/bin/su binary to get a shell with root privileges on vulnerable systems.
Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites.
Burst Statistics is a privacy-focused analytics plugin active on 200,000 WordPress sites and marketed as a lightweight alternative to Google Analytics.
The flaw, tracked as CVE-2026–8181, was introduced on April 23 with the release of version 3.4.0 of the plugin. The vulnerable code was also present in the following iteration, version 3.4.1.
OpenAI confirms security breach in TanStack supply chain attack
OpenAI says two employees’ devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution.
In a security advisory published today, the company said the incident did not impact customer data, production systems, intellectual property, or deployed software.
The company says the breach is linked to the recent “Mini Shai-Hulud” supply-chain campaign by the TeamPCP extortion gang, which targeted developers by slipping malicious updates into trusted and popular software packages.
New critical Exim mailer flaw allows remote code execution
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code.
Identified as CVE-2026–45185, the security issue impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.
Exim frees a TLS transfer buffer but later continues using stale callback references that can write data into the freed memory region, which can lead to unauthenticated remote code execution (RCE).
