Security news.
Today's security landscape is dominated by active exploitation of critical vulnerabilities across WordPress plugins, web servers, and development tools, alongside major breaches affecting hundreds of thousands of users. Attackers are leveraging zero-days and known flaws with increasing speed, while AI-driven exploitation timelines continue to compress the window for patching.
Critical Kirki WordPress Plugin Flaw (CVE-2026-8206) Actively Exploited
Hackers are exploiting a privilege escalation vulnerability in the Kirki plugin to take over WordPress admin accounts and hijack websites.
VS Code Zero-Day Steals GitHub Tokens via Malicious Links
A Visual Studio Code vulnerability allows attackers to steal GitHub authentication tokens by tricking users into clicking a link, with exploit code now public.
HTTP/2 Bomb DoS Affects NGINX, Apache, IIS, Envoy, and Cloudflare
A new remote denial-of-service exploit chains compression bombs with Slowloris-style attacks to knock major web servers offline in seconds using default configurations.
WeedHack Malware Campaign Infects 116,000+ Minecraft Systems
A large-scale malware-as-a-service campaign targeting Minecraft players via YouTube has infected over 116,000 systems since January 2026.
Global Stock Exchange Hit by Monthslong Email Espionage Campaign
Threat actors maintained access to a senior executive's email account for 150 days, exfiltrating sensitive data through native Windows tools.
IMA Diligence Services Data Breach Impacts 525,000 People
Personal information for 525,000 individuals was stolen from a legacy server managed by a third party.
Acer Wave 7 Routers Vulnerable to Maximum-Severity Zero-Days
Acer is working to patch two maximum-severity zero-day vulnerabilities affecting its Wave 7 mesh routers.
Hackers Exploit Meta's AI Support Bot to Seize High-Profile Instagram Accounts
The Obama White House and U.S. Space Force accounts were briefly defaced after attackers tricked Meta's AI assistant into resetting passwords.