Common Apple Pay scams, and how to stay safe
Here’s how the most common scams targeting Apple Pay users work and what you can do to stay one step ahead
Threat Intelligence Feed
Aggregating 4197 articles from trusted cybersecurity sources
LATEST CVEs
CVE-2026-5921
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker t
CVE-2026-5845
An improper authorization vulnerability in scoped user-to-server (ghu_) token authorization in GitHub Enterprise Server
CVE-2026-5512
An improper authorization vulnerability was identified in GitHub Enterprise Server that allowed an authenticated attacke
CVE-2026-4872
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2026-4821
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an
CVE-2026-4296
An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to byp
CVE-2026-41063
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete XSS fix in AVideo's `ParsedownSa
CVE-2026-41062
WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in comm
CVE-2026-41061
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isValidDuration()` regex at `objects/vide
CVE-2026-41060
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `isSSRFSafeURL()` function in `objects/fun
CVE-2026-41058
WWBN AVideo is an open source video platform. In versions 29.0 and below, the incomplete fix for AVideo's CloneSite `del
CVE-2026-41057
WWBN AVideo is an open source video platform. In versions 29.0 and below, the CORS origin validation fix in commit `986e
CVE-2026-41056
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in
CVE-2026-41055
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks p
CVE-2026-40935
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA l
CVE-2026-40929
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mu
CVE-2026-40928
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/
CVE-2026-40926
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/cat
CVE-2026-3307
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin acc
CVE-2026-6832
Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authentic
CVE-2026-6830
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear envi
CVE-2026-6829
nesquena hermes-webui contains a trust-boundary failure vulnerability that allows authenticated attackers to set or chan
CVE-2026-6799
A security flaw has been discovered in Comfast CF-N1-S 2.6.0.1. Affected by this issue is some unknown functionality of
CVE-2026-41527
KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there i
CVE-2026-40946
Oxia is a metadata store and coordination system. Prior to 0.16.2, the OIDC authentication provider unconditionally sets
CVE-2026-40945
Oxia is a metadata store and coordination system. Prior to 0.16.2, when OIDC authentication fails, the full bearer token
CVE-2026-40944
Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configurati
CVE-2026-40943
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing
CVE-2026-40942
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr
CVE-2026-40939
The Data Sharing Framework (DSF) implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Pr
CVE-2026-40933
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe s
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 rel
CVE-2026-40706
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that al
CVE-2026-1354
Zero Motorcycles firmware versions 44 and prior enable an attacker to
forcibly pair a device with the motorcycle via Bl
CVE-2026-6823
HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote cha
CVE-2026-6797
A vulnerability was identified in Sanluan PublicCMS up to 6.202506.d. Affected by this vulnerability is the function Zip
CVE-2026-6796
A vulnerability was determined in Sanluan PublicCMS up to 6.202506.d. Affected is the function log_login of the file cor
CVE-2026-40938
Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0,
CVE-2026-40927
Docmost is open-source collaborative wiki and documentation software. Prior to 0.80.0, when leaving a comment on a page,
CVE-2026-40925
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also r
Latest News
Phishing and Spoofed Sites Remain Primary Entry Points For Olympics
Cyber risks for the Milano-Cortina 2026 Winter Games include phishing and spoofed websites as key threat vectors
Peruvian Loan Scam Harvests Cards and PINs via Fake Applications
Loan phishing operation in Peru is stealing card info by impersonating financial institutions
VoidLink Linux Malware Was Built Using an AI Agent, Researchers Reveal
Sophisticated malware previously thought to be the work of a well-resourced cyber-crime group was built by one person - with the aid of AI tools
EU Unveils Cybersecurity Overhaul with Proposed Update to Cybersecurity Act
The EU’s Cybersecurity Act 2.
Experts Welcome Global Cybersecurity Vulnerability Enumeration Launch
A new service, the Global Cybersecurity Vulnerability Enumeration (GCVE), offers an alternative to the US-led CVE
Report Fraud Promises to Streamline Fight Against Economic Crime
City of London Police has launched the UK’s national Report Fraud service
Risk of AI Model Collapse to Drive Zero Trust Data Governance, Gartner Says
Gartner predicts 50% of organizations will adopt zero trust data governance by 2028
PurpleBravo’s Targeting of the IT Software Supply Chain
Discover how PurpleBravo, a North Korean threat group, exploits fake job offers to target software supply chains, using RATs and infostealers like BeaverTail.
Chainlit Security Flaws Highlight Infrastructure Risks in AI Apps
2 security vulnerabilities in the Chainlit framework expose risks from web flaws in AI applications
Prompt Injection Bugs Found in Official Anthropic Git MCP Server
Three vulnerabilities in Anthropic's Git server for the MCP can be exploited via prompt injection
Cyber Risks Among CEOs’ Top Worries Amid Weak Short Term Growth Outlook
PwC’s 29th Global CEO Survey shows cyber risk rising to the top of CEO concerns as confidence in short term business growth weakens
Data Breaches
Discord-Linked Group Accessed Anthropic’s Claude Mythos AI in Vendor Breach
Anthropic is investigating a vendor breach after a Discord-linked group accessed its Claude Mythos AI model, with no evidence of impact on core systems.
Adaptavist Group investigates security breach amidst ransomware claims
The breach was detected in late March when an attacker exploited compromised login details.
Bluesky Back Online After DDoS Attack, as Iran-Linked 313 Team Takes Credit
Bluesky is back online after a roughly 24-hour DDoS attack disrupted services, with the Iran-linked 313 Team claiming responsibility and no data breach repor...
SEC cybersecurity disclosure rules: What security leaders must know
SEC rules require fast breach reporting and stronger cyber risk disclosures.
Vercel confirms April 2026 security incident linked to third-party AI tool
Cloud development platform Vercel has confirmed a security incident involving unauthorized access to parts of its internal systems, following a breach disclo...
French Authorities Confirm Data Breach Amid Hackers’ Data Leak Allegations
The French National Agency for Secure Documents (ANTS) has officially confirmed a severe data breach affecting its central government portal. This critical i...
Exclusive Anthropic Cyber Tool Mythos Accessed by Unapproved Actors
A group of unauthorized users has successfully bypassed access controls to reach Claude Mythos Preview, Anthropic’s closely guarded cybersecurity AI. This br...
Over 400K records allegedly stolen from major Dutch webshop Bol, data leaked
Major Dutch online store Bol, which also operates in Belgium, had information from more than 400,000 of its Belgian users allegedly compromised by the hacker...
French govt agency confirms breach as hacker offers to sell data
France Titres, the government agency in France for issuing and managince administrative documents has disclosed a data breach after a threat actor claimed th...
Seiko USA website defaced, customer data breach claimed
The attackers asserted they breached Seiko USA's Shopify backend, exfiltrating sensitive customer data including names, email addresses, phone numbers, order...
Cloud platform Vercel says company breached through third-party AI tool
Vercel released a statement acknowledging a breach and warning a “limited subset of customers” that their Vercel credentials were compromised.
Grinex crypto exchange shuts down, blames Western agencies for $13.7M breach
Grinex exchange collapses after $13.7M breach, blames Western spies as Chainalysis flags possible exit scam and sanctions evasion network links claims.