vulnerability4 articles
The HTTP/2 'Bomb' Flaw Hitting NGINX, Apache and Friends — And What To Actually Do About It
A newly discovered vulnerability in the HTTP/2 protocol, dubbed the "HTTP/2 Bomb," allows attackers to launch remote Denial-of-Service (DoS) attacks against widely used web servers and services, including NGINX, Apache, IIS, Envoy, and Cloudflare. The attack exploits weaknesses in how HTTP/2 handles certain requests, overwhelming servers with minimal effort from the attacker. Organizations are advised to take proactive steps to secure their systems against such vulnerabilities, particularly as AI is increasingly being used to discover and exploit security flaws.
Unpatched RCE Flaw in Gogs Has a Metasploit Module and Zero Response From Maintainers
A critical remote code execution vulnerability (CVSS 9.4) has been discovered in Gogs, a popular open-source self-hosted Git service, allowing any authenticated user to fully compromise servers, steal credentials, or tamper with code repositories. Rapid7 researcher Jonah Burgess reported the flaw to Gogs maintainers in March 2026, but despite initial acknowledgement, they have not responded since and no patch exists, while a public Metasploit exploit module has now been released. Users are advised to disable open registration, restrict repository creation, and turn off the "Rebase before merging" setting as interim mitigations until an official fix is available.
Cisco's Latest Perfect 10: Secure Workload Flaw Hands Attackers Admin Privileges for Free
Cisco has disclosed a maximum severity (CVSS 10.0) vulnerability, CVE-2026-20223, in its Secure Workload platform, which allows unauthenticated attackers to gain Site Admin privileges by sending crafted API requests to poorly validated internal REST API endpoints. A successful exploit could enable attackers to read sensitive data and make configuration changes across tenant boundaries, affecting both SaaS and on-premises deployments. Cisco says no workarounds exist, fixed versions have been released, and cloud-hosted deployments have already been patched, though the flaw marks another in a growing string of perfect-10 vulnerabilities from the networking giant.
Nine-Year-Old Linux Kernel Bug Quietly Handed Root Access to Anyone Who Asked
A security flaw sitting undetected in the Linux kernel for nine years has been found to allow unprivileged users to execute commands as root on a wide range of major distributions.