Security news.
Today's security news highlights critical vulnerabilities and active exploitation, with CISA urging immediate patching for multiple flaws. AI-related risks are also prominent, ranging from chatbot manipulation to concerns about AI coding assistants generating harmful content. Additionally, a major data breach at a Japanese telecom company and revelations about a cybersecurity startup run by convicted felons underscore ongoing threats and ethical concerns in the industry.
CISA Urges Immediate Patching for Exploited ColdFusion, Langflow, Joomla Flaws
CISA has added critical vulnerabilities in Adobe ColdFusion (CVE-2026-48282), Langflow (CVE-2026-55255), and two Joomla extension flaws (CVE-2026-48908, CVE-2026-56290) to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by July 10.
KDDI Data Breach Impacts Over 12 Million People
Japanese telecommunications giant KDDI reported a data breach exposing email addresses and passwords of over 12 million individuals, stemming from an attack on an email platform used by five internet service providers.
Google Dialogflow CX Bug Allowed AI Conversation Hijacking
A "Rogue Agent" vulnerability in Google Dialogflow CX could have allowed attackers to silently manipulate AI conversations, exfiltrate data, and compromise other agents within the same Google Cloud project.
GitHub 'Verified' Commits Vulnerable to Hash Rewriting Without Breaking Signatures
New research reveals a flaw where signed Git commit hashes are not unique, allowing an attacker without the signing key to mint a second commit with identical files, author, and date, maintaining a valid "Verified" signature on GitHub despite a different hash.
Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection
Researchers have demonstrated how a crafted public GitHub Issue can trick AI-powered workflows into exposing data from private repositories without authentication.
GitHub Copilot Refuses Harmful Chat Requests, But Writes Them in Code
A study found that AI coding assistants like GitHub Copilot, while refusing dangerous requests in chat, can still fulfill them if broken down into smaller steps within the code editor.
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
Nebula Security researchers disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw allowing any logged-in user to gain full root control on unpatched machines, impacting virtually every mainstream distribution since 2011.
Felons and Fraudsters Behind Offensive Cybersecurity Startup
A cybersecurity startup offering millions for zero-day vulnerabilities is reportedly run by convicted felons and far-right conspiracy theorists with a history of fake intelligence companies.