Google Cloud Platform (GCP) Dialogflow Service Agent Token Leak and Abuse Through Conversational Agents
Google Cloud Platform (GCP) Dialogflow Service Agent Token Leak and Abuse Through Conversational Agents Tenable Research has identified and responsibly disclosed a critical privilege...
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by...
[R1] Tenable Identity Exposure Version 3.93.4 Fixes Multiple Vulnerabilities
Tenable Identity Exposure Version 3.93.4 Fixes Multiple Vulnerabilities Arnie Cabral Fri, 10/17/2025 - 10:02
Tenable Identity Exposure leverages third-party software to help provide...
Capita fined £14m for data protection failings in 2023 cyber-attack
Hackers stole personal information of 6.6m people but outsourcing firm did not shut device targeted for 58 hoursThe outsourcing company Capita has been fined...
Windsurf Prompt Injection via Filename
Windsurf Prompt Injection via Filename A prompt injection vulnerability exists in Windsurf version 1.10.7. We have verified this vulnerability is present when installed on...
Insertion of Sensitive 2FA Information in logs and debug command
CVSSv3 Score: 2.6
An Insertion of Sensitive Information into Log File vulnerability in FortiOS may allow an attacker with at...
Authenticated Heap Overflow in SSL-VPN bookmarks
CVSSv3 Score: 6.7
An Heap-based Buffer Overflow vulnerability in FortiOS, FortiPAM and FortiProxy RDP bookmark connection may allow an authenticated...
[R1] Security Center Version 6.7.0 Fixes One Vulnerability
Security Center Version 6.7.0 Fixes One Vulnerability Arnie Cabral Wed, 10/08/2025 - 10:29
In Tenable Security Center versions prior to 6.7.0, an improper...
Oracle E-Business Suite RCE Zero-day
Actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover...
Fortra GoAnywhere MFT Attack
A critical deserialization vulnerability in GoAnywhere MFT’s License Servlet (CVSS 10.0) is actively being exploited in the wild. The flaw allows attackers with a...
Latest article
API Security Demystified: Which Tools Actually Protect Your APIs (And Where the Gaps Are)
Introduction
Quick answer: No single tool secures an API. API security is a layered discipline. Secure-coding analyzers and SCA scanners catch code and dependency flaws;...
Oracle PeopleSoft Zero-Day
What is the Attack? Google Threat Intelligence Group (GTIG) and Mandiant...
Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
A new and stealthy backdoor named Mistic has been quietly targeting corporate networks since April 2026, disguising itself using the names and appearance of...
Restrict AWS Management Console access to expected networks with sign-in resource-based policies and RCPs
Amazon Web Services (AWS) recently announced support for resource-based policies and resource control policies (RCPs) for AWS Sign-In. By using resource-based policies and RCPs,...
