Cybersecurity
CVE-2026-8024, a critical (CVSS 9.8) deserialization-of-untrusted-data vulnerability in iba's ibaPDA and ibaDatCoordinator, can be exploited by a remote, unauthenticated attacker, according to the National Vulnerability Database and a CERT@VDE advisory.
Cybersecurity
CVE-2026-54390, a critical (CVSS 9.8) server-side template injection flaw in JTL Shop 5.2.0–5.7.1, lets unauthenticated attackers read server secrets and, on 5.4.0–5.7.1, write a webshell to the web root.
Cybersecurity
Two CrowdStrike applications published this week, set against a year of related filings, point the company's R&D away from flagging threats and toward letting machine-learning agents act on them, while a parallel cluster works the cost of being wrong.
Cybersecurity
AMD's AI Tensor Engine for ROCm deserializes attacker-supplied pickle payloads from an unauthenticated ZeroMQ socket, letting one crafted message execute code simultaneously across every reader worker in a cluster.
Cybersecurity
A CVSS 9.6 flaw in transformers 5.2.0 let an untrusted config.json override the very setting meant to block remote code execution, turning AutoModel.from_pretrained into a code-execution primitive.
Cybersecurity
A use-after-free in Chrome's FileSystem component, fixed in 149.0.7827.53, could let a malicious web page potentially escape the renderer sandbox — the boundary that is supposed to contain hostile JavaScript.
Cybersecurity
A CVSS 9.1 memory-corruption-and-disclosure flaw in Netty's Oblivious HTTP codec only triggers when the JVM is hardened against sun.misc.Unsafe — a configuration security teams often choose on purpose.
Cybersecurity
A CVSS 9.1 flaw in the Capsule multi-tenancy framework let a tenant owner borrow the controller's cluster-admin privileges to create cluster-scoped objects they could never create directly, breaking the wall between Kubernetes tenants.
Cybersecurity
CVE-2026-10611 carries the maximum CVSS base score of 10.0. In MISP deployments that pair LDAP authentication with mandatory one-time passwords, a user with valid primary credentials could walk straight past the OTP challenge.
Cybersecurity
CVE-2026-46483 let a crafted .tgz archive filename inject shell commands through Vim's tar plugin because shellescape() was called without the {special} flag. NVD scores it 3.6 Low.
Cybersecurity
CVE-2026-45736 lets ws leak uninitialized process memory when a TypedArray is passed as the close() reason. NVD scores it 4.4 Medium, but the class deserves attention.
Cybersecurity
CVE-2026-6228 lets an attacker self-register, craft an edit_user form, and assign themselves the administrator role because the plugin never checks who may grant it. NVD scores it 8.8 High.
Cybersecurity
CVE-2026-41702 lets a local non-admin user win a time-of-check/time-of-use race inside a VMware Fusion SETUID binary and escalate to root. NVD scores it 7.8 High.
Cybersecurity
CVE-2026-46508 let a malicious monorepo execute shell commands through the Turborepo LSP VS Code extension's string-based command building. NVD scores it 7.8; the vendor advisory 8.4.
Cybersecurity
A registered protocol handler in the Tabby terminal emulator ran arbitrary OS commands with no confirmation, turning any malicious link into one-click RCE. NVD scores it 8.8; the GitHub advisory rates it 9.4 Critical.
Cybersecurity
CVE-2026-35273 lets an unauthenticated attacker take over Oracle PeopleSoft Enterprise PeopleTools. CISA added it to the Known Exploited Vulnerabilities catalog with a 'known ransomware' tag and a same-day federal remediation deadline.
Cybersecurity
Net retention, calculated billings, RPO, operating cash flow. Each pure-play leans on a different headline metric — and each one is defined in a filing.
Cybersecurity
The single metric the market watches most on CrowdStrike is also the one most people quote without reading its filed definition. The 10-Q spells it out.
Cybersecurity
CSPM is one of the fastest-growing line items in cloud security budgets. A 2026 grant explains the mechanism behind the category in plain terms.
Cybersecurity
CrowdStrike's filings make one thing structurally clear before any single quarter's number: the company is its Falcon subscription, and the 10-Q says so.
Cybersecurity
Zscaler's latest 10-Q shows a $120.5M drop in receivables and a $90M rise in deferred revenue. The working-capital plumbing tells its own story.
Cybersecurity
Calculated billings is the number traders reach for first on Zscaler. The 10-K explains exactly how multi-year deals can inflate it — and starve a later quarter.
Cybersecurity
Okta's proxy puts remaining performance obligations at $4.827 billion, up 15%. RPO is the metric the market most often misreads — here's what the number contains.
Cybersecurity
DLP is the technology meant to stop sensitive data from walking out the door. Two recent grants show how the inspection actually happens — including for video.
