Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

LiteLLM, a widely deployed open-source AI gateway, is affected by a critical exploit chain that allows unauthenticated attackers to execute arbitrary commands on vulnerable hosts. CISA added CVE-2026-42271 to its Known Exploited Vulnerabilities (KEV) catalog on June 9, 2026, confirming active exploitation in the wild. The Qilin ransomware group has been linked to exploitation activity. What makes this especially dangerous is the chain: CVE-2026-42271 on its own required a valid API key.

Oracle has disclosed CVE-2026-35273, a critical vulnerability in PeopleSoft Enterprise PeopleTools that has already been exploited by threat actors. The vulnerability allows unauthenticated attackers to remotely compromise vulnerable systems and potentially achieve remote code execution, putting exposed PeopleSoft environments at immediate risk. What makes this vulnerability especially concerning is that attackers exploited it as a zero-day before Oracle released a patch.

CERT-In just published a risk-based remediation framework that resets expectations for every organisation operating in India. The timelines are worth reading twice: Now consider one question: if a known exploited vulnerability appeared on your internet-facing application at 11pm tonight, what would your team do in the next 12 hours?

Magento and Adobe Commerce environments often rely on third-party extensions to extend functionality and improve performance. However, these extensions can also introduce security risks that exist outside the core platform. CVE-2026-45247 is a recent example of how vulnerabilities in third-party Magento extensions can create severe security risks.

A web application firewall is a security software that observes and filters HTTP/HTTPS traffic between a web application and the internet. While this has been available for decades, with the evolution of the threat landscape, WAFs have also added additional capabilities to protect not only web apps but also APIs against a range of attacks, including DDoS and bot attacks. So, the category has evolved and is currently called Web Application and API Protection (WAAP).

Banking & Financial Services (BFS) firms are shouldering a uniquely heavy share of the global threat load. The newly released Indusface State of Application Security 2026 study paints a stark picture: Why the laser focuses on finance? Strict regulations mean banks generally run strong perimeters, so adversaries pivot to bots, API abuse, and nuanced business-logic exploits that slip past ‘default’ defenses.

NGINX administrators are facing back-to-back emergency patch cycles. Within days of each other, two critical heap buffer overflow vulnerabilities were disclosed in the same NGINX component, both capable of crashing worker processes and enabling remote code execution on systems without ASLR. If your organization runs NGINX in any capacity, these need immediate attention.

A highly critical SQL injection vulnerability in Drupal core has raised concerns across organizations running PostgreSQL-backed Drupal environments. Tracked as CVE-2026-9082, the vulnerability affects Drupal’s database abstraction layer and can be exploited remotely without authentication. The vulnerability was disclosed through Drupal security advisory SA-CORE-2026-004 on May 20, 2026. CVE-2026-9082 is now under active exploitation.

A high-severity vulnerability in Next.js allows attackers to bypass middleware-based authorization controls in App Router applications through specially crafted.rsc and segment-prefetch requests. Tracked as CVE-2026-44575, the vulnerability can expose protected pages and sensitive application content without triggering the intended authentication or access control checks.

Your database is one apostrophe away from a breach. SQL injection has been the most common web vulnerability for three consecutive years. The 2025 Verizon DBIR reports it contributed to 12% of all data breaches, up from 9% the year before. In December 2024, a PostgreSQL SQL injection zero-day gave state-sponsored attackers a path into the US Treasury. In 2023, a single campaign used it to steal 2 million job seeker records across 65 websites in one month. The fix has been known for two decades.