Security News

CVE-2026-24858 is a critical authentication bypass flaw in FortiOS single sign-on with a CVSS score of 9.4. Patches are now available.

Packages 'spellcheckerpy' and 'spellcheckpy' downloaded over 1,000 times before removal from Python Package Index.

Spear-phishing campaign targets diplomatic, maritime, financial, and telecom entities across the Middle East with upgraded malware toolkit.

NordStellar research reveals US companies remain primary targets with 3,255 incidents. Small and medium businesses face the highest risk.

Former security workers admitted to operating as BlackCat/ALPHV affiliates, paying 20% of ransoms to administrators for malware access.

APT group targets government entities with enhanced malware enabling comprehensive data theft from infected endpoints.

CVE-2026-1470 scores CVSS 9.9 with eval injection vulnerability enabling attackers to execute arbitrary code on n8n servers.

Massive security update includes 38 patches for Financial Services Applications, with 33 remotely exploitable without authentication.

Investigation reveals service providers fueling Southeast Asian scam compounds where trafficking victims are forced to conduct investment fraud.

January 2026 Security Patch Day releases 17 notes including four critical vulnerabilities affecting enterprise ERP systems.

CVE-2026-23550 in Modular DS plugin scores maximum CVSS 10.0, enabling unauthenticated privilege escalation on WordPress sites.

CVE-2026-21509 bypasses OLE mitigations in Microsoft Office and Microsoft 365. CISA has added the flaw to its KEV catalog with a February 16 deadline.

Protected health information potentially exposed including names, dates of birth, claims data, diagnoses, and medication information.

Attackers exfiltrated API tokens, Bitbucket repositories, and source code from ESA servers. Investigation ongoing.

APT28 targets organizations in the Balkans, Middle East, and Central Asia with simple but effective phishing attacks using legitimate documents.

Attackers claim to have exfiltrated sensitive data from systems supporting government services operations at one of the world's largest claims administrators.

AZ Monica hospital in Antwerp forced to cancel procedures and move patients to other facilities following security incident.

New campaign uses social engineering and legitimate Microsoft Application Virtualization scripts to distribute Amatera information stealer.

CVE-2026-24002 allows remote code execution through malicious spreadsheet formulas in popular open-source data tool.

Coordinated action with UK, German authorities, and Europol takes down subscription service offering disposable VMs for $24/month to criminals.

New additions include CVE-2026-21509, a Linux kernel flaw from 2018, and SmarterMail vulnerabilities. Federal agencies face February deadlines.

The National Cybersecurity Alliance kicks off Data Privacy Week from January 26-30, focusing on empowering individuals and organizations to manage personal information.

Monthly security update addresses 114 CVEs including CVE-2026-20805, a Windows Desktop Window Manager flaw under active exploitation.