Apache Solr's auth setup tool silently installs four accounts with passwords identical to their usernames. CVSS 9.8 Critical, no patch released yet. Affects 12,000+ organizations.
An actively exploited authentication bypass in PAN-OS GlobalProtect lets unauthenticated attackers establish VPN connections. CISA KEV listed with a 3-day remediation deadline.
A critical use-after-free in Chrome's Dawn WebGPU implementation could allow remote code execution. Part of a 151-vulnerability Chrome 148 update with 22 critical flaws across Dawn, WebGL, and ANGLE.
A researcher dropped six Windows zero-days since early April and got banned from GitHub and GitLab. Three exploits remain unpatched. A practical triage checklist for defenders.
A Host header injection in Starlette bypasses path-based auth middleware. Affects FastAPI, vLLM, LiteLLM, MCP servers, and thousands of AI infrastructure services.
A maximum-severity authentication bypass in Cisco Secure Workload (CVSS 10.0) lets unauthenticated attackers gain Site Admin access via an internal REST API. Identify instances on your network using RECON.
A critical zero-day in Fortinet's endpoint management server has been actively exploited since late March. Walk through identifying FortiClient EMS instances using RECON.