Security news.
Today's security brief highlights significant breaches and critical vulnerabilities, with GitHub and Grafana confirming incidents stemming from supply chain attacks and compromised credentials. Microsoft has also released mitigations for a BitLocker zero-day, while CISA added seven actively exploited vulnerabilities to its catalog, underscoring the persistent threat landscape.
Critical Flaw in OT Robot OS Gives Attackers Control
A critical command injection vulnerability in an OT Robot OS allows unauthenticated attackers remote access, potentially causing significant disruption.
Max-severity flaw in ChromaDB for AI apps allows server hijacking
A critical vulnerability in the latest Python FastAPI version of ChromaDB allows unauthenticated attackers to execute arbitrary code on exposed servers.
Drupal critical update to fix bug with high exploitation risk
Drupal has announced a critical core security release, warning that exploits could emerge within hours of the update's disclosure.
CISA Adds Seven Known Exploited Vulnerabilities to Catalog
CISA has added seven new vulnerabilities, including older Microsoft and Adobe flaws, to its KEV Catalog based on evidence of active exploitation.
Exploit released for new PinTheft Arch Linux root escalation flaw
A public proof-of-concept exploit is now available for PinTheft, a recently patched Linux privilege escalation vulnerability, allowing local attackers to gain root privileges on Arch Linux systems.
GitHub Confirms Hack Impacting 3,800 Internal Repositories
GitHub confirmed that the TeamPCP hacking group accessed 3,800 internal repositories after an employee installed a malicious VS Code extension.
Grafana breach caused by missed token rotation after TanStack attack
The Grafana data breach was attributed to a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack.
Microsoft Rolls Out Mitigations for ‘YellowKey’ BitLocker Bypass
Microsoft has released mitigations for the "YellowKey" BitLocker bypass vulnerability (CVE-2026-45585), preventing the FsTx Auto Recovery Utility from starting during WinRE image launch.