Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2026-45185, nicknamed Dead.Letter, is a use-after-free vulnerability in the BDAT message body parsing path of Exim, the open-source Mail Transfer Agent that runs a large share of the internet's email servers. The flaw lives in the GnuTLS-backed TLS path, where Exim can free its internal transfer buffer during a TLS shutdown while the SMTP state machine still holds a reference to it.

Attack Surface Management (ASM) is the continuous process of identifying, analyzing, and reducing security exposures across an organization’s environment. It provides visibility into assets, highlights security gaps, and helps prioritize remediation based on real risk.

May the 4th be with you. In celebration of Star Wars Day, here's what a galaxy far, far away can teach us about security. The films work surprisingly well as a case study, and not in the obvious way. It's not the lasers, androids or the lightsabers. It's that the Empire and the First Order both fall into the same trap most security programs walk into every day. In this post, we'll walk through what the films get right about modern security challenges, how AI is making them worse, and what to do about it.

CVE-2026-41940 is a pre-authentication remote authentication bypass in cPanel and WHM caused by a CRLF (Carriage Return Line Feed) injection in the login and session handling logic. An unauthenticated remote attacker can inject raw \r\n characters into a malicious basic authorization header, which cpsrvd then writes into a session file without sanitization.

CVE-2026-3854 is a command injection vulnerability in GitHub Enterprise Server. It lives in the git push pipeline. User-supplied push option values were not properly sanitized before being embedded in an internal service header. The header format used a delimiter that could also appear in user input. A crafted push option containing that delimiter let an attacker inject additional metadata fields. Downstream services treated those fields as trusted internal values.

CVE-2026-40372 is an elevation of privilege vulnerability in ASP.NET Core caused by improper verification of cryptographic signatures in the Data Protection library. The flaw sits in the HMAC validation routine of the managed authenticated encryptor, where a defective comparison lets an attacker submit a forged payload that the application accepts as legitimately signed. The vulnerability carries a CVSS v3.1 base score of 8.1 (Important), as assigned by Microsoft in the official advisory.

And neither are attackers. Claude Mythos Preview has been public for less than two weeks. Vendor newsletters and LinkedIn feeds have covered it to exhaustion. Meanwhile, your Board has one question, in plain language, not acronyms: what does this mean for our company and are we prepared?