Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Google patched a critical 'Gemini CLI' bug that let attackers run code on developer machines through CI pipelines (CVSS 10.0)

Google patched a critical flaw in Gemini CLI, the command-line tool developers use to interact with Gemini models from CI pipelines and dev workstations. CVSS 10.0. The bug let an attacker execute arbitrary code on the developer's machine by feeding crafted input to the CLI - specifically through the same pattern that compromised LiteLLM and several other AI tools recently. A separate but related set of flaws in Cursor, the AI-powered IDE, also enables code execution. The pattern across all these AI dev tools is the same: input validation gaps where attacker-controlled prompts or model output reach a shell or code execution path.

Check
Upgrade Gemini CLI on every developer machine and CI runner today, and update Cursor to the latest version through the in-app updater.
Affected
Developers and CI/CD pipelines using Gemini CLI before the May 2026 patch. Cursor IDE users on versions before the recent security release. The broader pattern affects every AI command-line tool and IDE extension that processes untrusted input - LiteLLM, LMDeploy, MCP servers, Anthropic's MCP STDIO design, and the npm @validate-sdk/v2 trojan share the same root cause.
Fix
Upgrade Gemini CLI and confirm via 'gemini --version'. Update Cursor through the in-app updater. For CI pipelines, pin Gemini CLI version and rebuild base images. Treat all AI CLI tools as code execution surfaces and run them in sandboxed environments. Audit for any unusual outbound connections from dev machines or CI runners that ran Gemini CLI in the past month.

GitHub patched a flaw in March that let any developer take over millions of repos with a single 'git push' - 88% of self-hosted GitHub Enterprise Servers still haven't installed the fix (CVE-2026-3854)

Update on the GitHub flaw covered yesterday: Wiz, who found the bug, published its full disclosure showing 88% of self-hosted GitHub Enterprise Servers were still unpatched at public disclosure on April 28. The bug let any user with push access to one repository run code on the GitHub server itself with a single 'git push'. On GitHub.com, the same bug exposed millions of public and private repositories belonging to other users sharing the same storage node. GitHub.com was patched within 75 minutes, but Enterprise Server installs need patching manually. Wiz found the bug using AI-augmented reverse engineering on closed-source GitHub binaries.

Check
If you run a self-hosted GitHub Enterprise Server, check today whether you're on a patched version and upgrade if not.
Affected
Self-hosted GitHub Enterprise Server instances on versions before the March 2026 patches. CVSS 8.7. Wiz data shows 88% of GHES instances were unpatched at disclosure. The bug needs push access to any repository, including one the attacker creates themselves. GitHub.com and Enterprise Cloud variants are already patched.
Fix
Upgrade to GHES 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4, 3.20.0, or later. Audit /var/log/github-audit.log for push operations with semicolons or unusual special characters in push option values - that's the exploit signature. Until patched, restrict push access and remove unnecessary repository creators.

AI security tool finds 38 previously unknown bugs in OpenEMR, the open-source health records system used by 100,000 healthcare providers - two of them rated maximum severity

Aisle, an AI-driven application security firm, ran its analyzer over OpenEMR's source code and found 38 previously unknown vulnerabilities, including two with maximum severity (CVSS 10.0). OpenEMR is the open-source electronic health records system used by 100,000 healthcare providers serving 200 million patients. The two critical bugs let attackers reach into patient databases without logging in: CVE-2026-24898 lets any unauthenticated visitor receive the medical practice's API tokens by sending a single POST request, and CVE-2026-24908 is a SQL injection in the patient REST API. OpenEMR has now patched all 38.

Check
If your organization runs OpenEMR, upgrade to the latest patched build today and audit access logs for unauthenticated POST requests to MedEx recall/reminder endpoints.
Affected
OpenEMR deployments before the April 2026 security update. Particularly acute for any internet-reachable instance because CVE-2026-24898 is unauthenticated. The 100,000 OpenEMR healthcare providers are typically smaller US clinics and under-resourced settings worldwide - the segments least likely to have a fast patching process.
Fix
Upgrade OpenEMR to the latest 8.x patched release. Audit application logs for any POST to the MedEx recall/reminder endpoint and for unusual _sort parameter values in the patient REST API - those are the exploit signatures. Restrict OpenEMR's admin and API endpoints to internal management networks. Rotate API tokens issued before the patch was applied since they may have been exposed via CVE-2026-24898.

9-year-old Linux kernel bug 'Copy Fail' lets any user with shell access become root in seconds - works on every major distribution since 2017 (CVE-2026-31431)

Researchers at Theori and Xint disclosed Copy Fail yesterday, a Linux kernel bug introduced in 2017 that lets any unprivileged user with shell access become root in seconds. The exploit is a 732-byte Python script that works without version-specific tweaks on every major Linux distribution since 2017 - Ubuntu, Amazon Linux, RHEL, SUSE. Unlike previous kernel bugs (Dirty Cow, Dirty Pipe), Copy Fail has no race condition and no per-kernel offsets. It also leaves no trace on disk because it only modifies the in-memory page cache. The bug was found using AI-assisted reverse engineering and has been hiding in the open for nearly nine years.

Check
Update the kernel on every Linux server, container host, and CI runner you operate today, especially anything that runs untrusted code or hosts multiple tenants.
Affected
Every Linux distribution since 2017 with kernel 4.14 or later. CVE-2026-31431, CVSS 7.8. Acute risk: shared-kernel multi-tenant environments (Kubernetes nodes, Docker hosts), CI/CD runners that execute untrusted PR code (GitHub Actions self-hosted, GitLab runners, Jenkins agents), notebook hosts, and anything using Linux containers as a security boundary. Firecracker microVMs and gVisor are not affected.
Fix
Apply the kernel update from your distribution that includes commit a664bf3d603d. Until patched, blacklist the algif_aead module: 'echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf' then 'rmmod algif_aead'. The disable does not break dm-crypt, kTLS, IPsec, or SSH. For multi-tenant Kubernetes clusters, treat container boundaries as broken until patched.

SonicWall patches three SonicOS firewall flaws after CrowdStrike disclosed them - the worst lets attackers reach the management interface without logging in (CVE-2026-0204)

SonicWall released emergency firmware updates for Gen 6, Gen 7, and Gen 8 firewalls after CrowdStrike's research team disclosed three SonicOS flaws on April 29. The worst is CVE-2026-0204 (CVSS 8.0), a weak authentication bug in the management interface that lets an attacker on an adjacent network reach management functions without logging in - and from there change firewall rules, disable security protections, or open new holes. The other two are post-authentication: CVE-2026-0205 is a path traversal that breaks out of restricted directories, and CVE-2026-0206 is a buffer overflow that crashes the firewall. No public exploits yet.

Check
Patch every SonicWall Gen 6, Gen 7, and Gen 8 firewall to the latest firmware today, and confirm no SonicWall management interface or SSL-VPN is reachable from the public internet.
Affected
Gen 6 firewalls (TZ 300/400/500/600, NSA, SM, SOHO) running 6.5.5.1-6n or older. Gen 7 firewalls and NSv (TZ270-TZ670, NSa 2700-6700, NSsp, NSv on ESX/KVM/Hyper-V/AWS/Azure) running 7.0.1-5169 or 7.3.1-7013 or older. Gen 8 (TZ80-TZ680, NSa 2800-5800) running 8.1.0-8017 or older.
Fix
Upgrade to Gen 8 firmware 8.2.0-8009, Gen 7 firmware 7.3.2-7010, or Gen 6 6.5.5.2-28n. Until patched, disable HTTP and HTTPS firewall management on all interfaces, disable SSL-VPN, and restrict management to SSH only from trusted IPs. Take a full configuration backup before upgrading Gen 6 - downgrading from 6.5.5.2-28n deletes all LDAP users and resets MFA.

Hackers raced to exploit a critical LiteLLM flaw 36 hours after disclosure - any attacker who could reach the proxy could read all stored AI API keys (CVE-2026-42208)

LiteLLM, the popular open-source gateway used to centralize API access for OpenAI, Anthropic, and other AI providers, has a critical pre-authentication SQL injection bug that attackers started exploiting just 36 hours after the security advisory went public. The flaw lets anyone who can reach the proxy port read all the API keys stored inside - including master keys, virtual keys, and provider credentials. The bug was in the bearer-token check: the token was concatenated into a SQL query instead of passed as a parameter. Sysdig saw the first attack at 04:24 UTC on April 26, hitting three tables that hold the most valuable secrets.

Check
If you run any internet-facing LiteLLM proxy, patch to v1.83.7-stable today and treat every API key, virtual key, and stored provider credential as compromised.
Affected
LiteLLM versions 1.81.16 through 1.83.6, internet-reachable on the default proxy port. CVE-2026-42208, CVSS 9.3, pre-auth SQL injection. Blast radius is closer to a full cloud account compromise than a typical web app bug because LiteLLM holds OpenAI, Anthropic, and AWS Bedrock credentials.
Fix
Patch to LiteLLM v1.83.7-stable. If you can't upgrade, set 'disable_error_logs: true' under 'general_settings' as a workaround. Rotate every virtual key, master key, and upstream provider credential. Audit upstream provider billing for unexpected API calls since April 24. Block traffic from 65.111.27.132 and 65.111.25.67 (AS200373).

Critical GitHub flaw lets a single 'git push' run code remotely on the server - patched, but most self-hosted GitHub Enterprise instances haven't updated yet (CVE-2026-3854)

Researchers disclosed CVE-2026-3854, a critical GitHub Enterprise Server flaw that lets anyone with push access execute arbitrary commands on the GitHub server with a single git push. The bug is in how Enterprise Server handles repository hooks during push operations - a crafted commit message or filename bypasses the sanitization that normally prevents shell injection. GitHub patched it last week, but self-hosted instances need to apply the patch manually, and telemetry shows most haven't yet. Anyone with developer-level access to a vulnerable Enterprise Server can take over the entire instance, then pivot into every repository and CI/CD secret it hosts.

Check
If you run a self-hosted GitHub Enterprise Server, apply the latest patch this week and review push activity from any low-privilege accounts since the patch was released.
Affected
Self-hosted GitHub Enterprise Server instances on versions before the April 2026 patch. The bug requires push access to any repository, which means every developer with commit rights is a potential entry point. CI/CD secrets, signing keys, and source code are exposed. GitHub.com (the SaaS product) is not affected.
Fix
Upgrade GitHub Enterprise Server to the patched release per GitHub's advisory. Until patched, restrict push access to trusted accounts and require code review on all pushes. Audit Enterprise Server logs for unusual git operations or shell processes spawning from the GitHub system user. Rotate any CI/CD secrets, signing keys, and webhook tokens stored on the server.

Microsoft confirms a Windows Shell flaw that lets attackers spoof anything in File Explorer is being exploited - patch now (CVE-2026-32202)

Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.

Check
Confirm every Windows endpoint has the April 14 Patch Tuesday update installed, especially any host that opens shared drives, USB drives, or email attachments.
Affected
Windows endpoints without the April 14, 2026 patch installed. CVE-2026-32202 affects all currently supported Windows versions including Windows 10, 11, and Server. Acute risk on hosts that handle external files: receptionists, finance staff opening invoices, IT staff handling user-submitted USB drives, anyone receiving email attachments from outside the organization.
Fix
Deploy the April 14 Patch Tuesday update via your usual patching process, prioritizing user endpoints over servers. Verify deployment with MDM rather than trusting WSUS compliance numbers. Enable 'show file extensions' as a Group Policy default. Re-train staff on file-trust basics this month. Watch for unusual process spawns from explorer.exe.

Microsoft patches Entra ID role flaw that let a low-privileged service account impersonate any service principal in your tenant

Microsoft quietly patched a privilege escalation flaw in Entra ID (formerly Azure AD) that let an attacker with a low-privileged service account take over any service principal in the same tenant - including high-value ones with admin consent grants. The bug was in how Entra ID validated role assignments during certain API calls: the validator checked whether the caller had any role on a service principal but didn't check whether that role authorized the specific action. Microsoft fixed the flaw on the back end, so customers don't need a patch - but the takeover scenario means anyone who exploited it before the fix could have created persistent backdoors via OAuth grants.

Check
Audit your Entra ID tenant this week for unfamiliar service principals, unexpected admin consent grants, and OAuth tokens issued to apps you don't recognize.
Affected
Microsoft Entra ID tenants with multiple service principals where any low-privileged account had role assignments on those service principals. The fix is server-side, so you don't need to apply a patch - but you do need to assume any attacker with foothold access before the fix could have abused this to escalate.
Fix
Run a Microsoft Graph audit on your tenant: list all service principals, OAuth grants, and app role assignments created since January 2026. Investigate any unfamiliar app, any grant from a service account, and any service principal whose roles changed unexpectedly. Revoke and re-issue admin consent for high-privilege apps. Enable audit logging for application registrations.

Hugging Face's LeRobot robotics framework has an unpatched flaw that lets remote attackers run code with no authentication (CVE-2026-25874)

Researchers disclosed a critical unauthenticated remote code execution flaw in Hugging Face's LeRobot, the open-source framework used to train and deploy ML models on physical robots. CVE-2026-25874 sits in the framework's web interface, which by default listens on all network interfaces with no authentication - quick for demos, but a hard fail when the demo box ends up on a corporate network. There is no patch yet. Hugging Face has been notified but hasn't released a fix. Particularly serious because LeRobot is usually attached to actual robotic hardware, so a compromise can mean unsafe physical actions.

Check
If your team uses Hugging Face LeRobot anywhere, take the web interface off any reachable network and bind it to localhost-only until a patch is released.
Affected
All current versions of Hugging Face LeRobot with the web interface enabled. CVE-2026-25874, unauthenticated RCE, no patch available. Acute risk for research labs, robotics startups, and university labs running LeRobot demos where the host has any network reachability. Manufacturing or warehouse environments using LeRobot for production robotics are at the highest risk because compromise can drive physical actions.
Fix
Bind LeRobot's web interface to 127.0.0.1 only and tunnel through SSH for remote access. If localhost-only isn't workable, put the interface behind an authenticated reverse proxy (nginx with basic auth, Cloudflare Access, Tailscale). Block direct internet access to any LeRobot host at the firewall. Watch the LeRobot GitHub for the patch. Don't run LeRobot on the same host as production robotic control systems.