Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2026-27577 is a code injection flaw in n8n, an open-source workflow automation platform, that lets an authenticated user with permission to create or modify workflows run system commands on the host through crafted workflow expressions. The vulnerability carries a CVSS base score of 9.4 (Critical). Exploitation requires authentication, but only the level of access needed to build or edit a workflow, which is a routine privilege for many users of the platform.

A newly disclosed zero day vulnerability, known as RoguePlanet, affects Microsoft Defender on fully patched Windows 10 and Windows 11 systems. The issue was publicly released in June 2026 by a researcher known as Nightmare Eclipse, who has published several Windows related exploits in recent months.

An attacker republished the entire @mastra npm scope on June 17, 2026, slipping a single malicious dependency into 143 packages and counting, including @mastra/core, which pulls roughly 4 million downloads a month and has hundreds of dependent projects. The injected dependency, easy-day-js, is a dayjs lookalike whose install hook disables TLS verification, downloads a second-stage payload from a raw IP address, and runs a cross-platform cryptocurrency stealer in the background.

I've spent the better part of three years wiring AI into how my teams build and ship software. So when the news broke this week that the US government had effectively switched off an AI model, I was legitimately shocked. Not for one country. Not for one company. For everyone on the planet, all at once. Three days. That's how long Anthropic's Fable 5 and Mythos 5 models were available before the government ordered them shut off for everyone.

CVE-2026-53721 is a route-rule middleware bypass in Nuxt, the open-source web development framework for Vue.js. It stems from a case-sensitivity mismatch between vue-router and the framework’s routeRules matcher, which lets an attacker reach a protected route by varying the casing of the request path. The vulnerability carries a CVSS v4.0 base score of 8.8 (High). Exploitation is pre-authentication and requires no user interaction.

CVE-2026-49975 is a memory exhaustion vulnerability in the mod_http2 module of Apache HTTP Server that allows a remote attacker to cause a denial of service through maliciously crafted HTTP/2 requests. It is classified as CWE-789, Memory Allocation with Excessive Size Value, and was publicly disclosed as part of an attack technique nicknamed the “HTTP/2 Bomb.” The vulnerability carries a CVSS v3.1 base score of 7.5 (High).

On the evening of June 12, 2026, Anthropic disabled access to two of its newest models, Claude Fable 5 and Claude Mythos 5, for every customer worldwide. The company did not do this because of an outage or a self-discovered flaw. It did it to comply with a US government export-control directive, received at 5:21 PM ET that day, citing national security authorities.

Magento and Adobe Commerce environments often rely on third-party extensions to extend functionality and improve performance. However, these extensions can also introduce security risks that exist outside the core platform. CVE-2026-45247 is a recent example of how vulnerabilities in third-party Magento extensions can create severe security risks.