Today's security news highlights critical vulnerabilities, widespread data breaches, and ongoing supply chain attacks. Cisco has patched a critical flaw in Unified CM with public exploit code, while multiple organizations, including DentaQuest and the UN World Food Programme, have disclosed significant data breaches affecting millions.

Cisco Patches Critical Unified CM Flaw with Public Exploit — Cisco has released patches for CVE-2026-20230, a critical server-side request forgery vulnerability in Unified Communications Manager that allows unauthenticated attackers to gain root privileges, with public exploit code already available. Read more →
DentaQuest Data Breach Exposes 2.6 Million Accounts — Dental benefits administrator DentaQuest has reported a data breach that exposed sensitive information belonging to 2.6 million accounts. Read more →
UN Food Agency Discloses Breach Affecting 600,000 Gaza Households — The United Nations' World Food Programme (WFP) revealed a breach of its self-registration application for Palestine, impacting 600,000 households in Gaza. Read more →
New IronWorm Malware Hits 36 npm Packages in Supply-Chain Attack — A new supply-chain attack has infected 36 packages on the Node Package Manager (npm) index with infostealer malware dubbed IronWorm. Read more →
Claude Code GitHub Action Flaw Allowed Repository Hijacking — A security researcher discovered a flaw in Anthropic's Claude Code GitHub Action that could allow an attacker to take over vulnerable public repositories via a single opened GitHub issue. Read more →
Mirasvit Vulnerability Exploited to Execute Code on Magento Servers — A flaw in the Mirasvit Full Page Cache Warmer extension (CVE-2026-45247) is being actively exploited to execute code on Magento servers without authentication. Read more →
VS Code Vulnerability Allows One-Click GitHub Token Theft — A researcher has disclosed a vulnerability in VS Code that could allow for one-click GitHub token theft, releasing a PoC without prior notification to Microsoft. Read more →
FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads — A malvertising campaign, "Operation FlutterBridge," is distributing a new backdoor called FlutterShell to macOS users through malicious Google and YouTube ads. Read more →