Lifeboat Foundation: Safeguarding Humanity
Toggle light / dark theme

Blog

Category: security

Gogs patches critical zero-day enabling remote code execution

Gogs has patched a critical security zero-day flaw that can allow attackers to compromise Internet-facing instances and access any repositories (including private ones).

This argument injection vulnerability has yet to be assigned a CVE ID, can only be exploited by authenticated attackers without admin privileges, and affects all Gogs releases up to and including 0.14.2 and 0.15.0+dev.

They can exploit this vulnerability to compromise the targeted server, read any repository (including private repos), steal credentials, move laterally to other systems on the network, and alter any hosted source code.

Quantum Space to go public in SPAC deal

WASHINGTON — Quantum Space, a company led by a former NASA administrator that is developing highly maneuverable spacecraft for national security missions, will go public by merging with a special purpose acquisition company, or SPAC.

Quantum Space announced June 8 that it will merge with Inflection Point Acquisition Corp. VI, a SPAC traded on the Nasdaq exchange. The companies expect the deal to close in the fourth quarter, with Quantum Space then trading on the Nasdaq under the ticker symbol QSPC.

The deal includes a $300 million investment, known as a private investment in public equity, or PIPE, by Inflection Point into Quantum Space. The SPAC also has $253 million in trust that would go to Quantum Space, assuming none of its shareholders redeem their shares. The deal would value Quantum Space at more than $1.1 billion if there are no SPAC redemptions.

Hackers Exploit Critical Everest Forms Pro WordPress Plugin Flaw to Take Over Sites

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.

The vulnerability in question is CVE-2026–3300 (CVSS score: 9.8), a remote code execution bug impacting all versions of the plugin up to, and including, 1.9.12. A patch for the flaw was released on March 18, 2026, with version 1.9.13.

“This is due to the Calculation Addon’s process_filter function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval,” Wordfence said.

Cisco Catalyst SD-WAN Manager CVE-2026–20245 Flaw Actively Exploited — No Patch Available

“A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system,” Cisco said in an advisory.

The network security company said the vulnerability is the result of insufficient validation of user-supplied input, which an attacker could exploit by uploading a crafted file to the affected system. This, in turn, could permit the attacker to perform command injection attacks and elevate their privileges as the root user.

“To exploit this vulnerability, the attacker must have netadmin privileges on the affected system,” Cisco added. “This would require valid credentials or exploitation of CVE-2026–20182 or CVE-2026–20127. Cisco is not aware of successful exploitation by other methods.”

Suspicious Polyfill login prompts pop up on Toshiba, Muji websites

Tech giant Toshiba and mega-retailer Muji warned visitors that suspicious sign-in screens popping up on their websites could collect credentials.

Both Japanese companies advised users who entered their account login data in the authentication screens to change their passwords to access the service.

The login pop-ups were generated by the external service hosted at polyfill[.]io, which in 2024 introduced malicious code in scripts delivered by its CDN.

New ‘HTTP/2 Bomb’ DoS attack crashes web servers in under a minute

A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.

The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

Discovered by OpenAI’s Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling.

Acer working to patch max severity zero-days in Wave 7 routers

Acer confirmed that it’s working to address two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.

According to a Friday security advisory, the two security flaws were reported by security researcher Gergo Pap and affect Wave 7 routers running firmware version T7c_GBL_1.01.000055 or earlier.

The first zero-day, a broken access control vulnerability tracked as CVE-2026–49200, can allow unauthenticated attackers to remotely access plaintext credentials stored in log archives.

Google adds Android protection against AI deepfake scam calls

Google is introducing a new Android security feature that will detect and flag phone calls in which scammers use artificial intelligence to impersonate a user’s personal contacts.

Called “fake call detection,” the feature is rolling out globally this month to Android 12 and later devices, starting with Pixel devices, and will be enabled by default.

Once activated, it works automatically when both a caller and recipient are using Phone by Google: when a contact places a call, their device sends a silent, encrypted confirmation signal to the recipient’s device in real time.

/* */