Vulnerability | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims' databases and exfiltrate sensitive data within organizations' Google Cloud environments. The shortcomings have been collectively named LeakyLooker by Tenable. There is no evidence that the vulnerabilities were exploited in the wild. Following responsible disclosure in June 2025, the issues have been addressed by Google. The list of security flaws is as follows - Cross Tenant Unauthorized Access - Zero-Click SQL Injection on Database Connectors Cross Tenant Unauthorized Access - Zero-Click SQL Injection Through Stored Credentials Cross Tenant SQL Injection on BigQuery Through Native Functions Cross-Tenant Data Sources Leak With Hyperlinks Cross Tenant SQL injection on Spanner and BigQuery Through Custom Queries on a Victim’s Data Source Cross Tenant SQL Injection on BigQuery and Spanner Through...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added three security flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability list is as follows - CVE-2021-22054 (CVSS score: 7.5) - A server-side request forgery ( SSRF ) vulnerability in Omnissa Workspace One UEM (formerly VMware Workspace One UEM) that could allow a malicious actor with network access to UEM to send requests without authentication and to gain access to sensitive information. CVE-2025-26399 (CVSS score: 9.8) - A deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk that could allow an attacker to run commands on the host machine. CVE-2026-1603 (CVSS score: 8.6) - An authentication bypass using an alternate path or channel vulnerability in Ivanti Endpoint Manager that could allow a remote unauthenticated attacker to leak specific stored credential data. The addition o...

Another week in cybersecurity. Another week of "you've got to be kidding me." Attackers were busy. Defenders were busy. And somewhere in the middle, a whole lot of people had a very bad Monday morning. That's kind of just how it goes now. The good news? There were some actual wins this week. Real ones. The kind where the good guys showed up, did the work, and made a dent. It doesn't always happen, so when it does, it's worth noting. The bad news? For every win, there's a fresh headache waiting right behind it. New tricks, old tricks dressed up in new clothes, and a few things that'll make you want to go touch grass and never log back in. But you will. We all do. So here's everything that mattered this week — the wins, the warnings, and the stuff you really shouldn't ignore. ⚡ Threat of the Week Tycoon 2FA and LeakBase Operations Dismantled — The infrastructure hosting the Tycoon2FA service, which Europol said was among the largest advers...

OpenAI on Friday began rolling out Codex Security , an artificial intelligence (AI)-powered security agent that's designed to find, validate, and propose fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web with free usage for the next month. "It builds deep context about your project to identify complex vulnerabilities that other agentic tools miss, surfacing higher-confidence findings with fixes that meaningfully improve the security of your system while sparing you from the noise of insignificant bugs," the company said . Codex Security represents an evolution of Aardvark⁠ , which OpenAI unveiled in private beta in October 2025 as a way for developers and security teams to detect and fix security vulnerabilities at scale. Over the last 30 days, Codex Security has scanned more than 1.2 million commits across external repositories over the course of the beta, identifying ...

Anthropic on Friday said it discovered 22 new security vulnerabilities in the Firefox web browser as part of a security partnership with Mozilla. Of these, 14 have been classified as high, seven have been classified as moderate, and one has been rated low in severity. The issues were addressed in Firefox 148 , released late last month. The vulnerabilities were identified over a two-week period in January 2026. The artificial intelligence (AI) company said the number of high-severity bugs identified by its Claude Opus 4.6 large language model (LLM) represents "almost a fifth" of all high-severity vulnerabilities that were patched in Firefox in 2025. Anthropic said the LLM detected a use-after-free bug in the browser's JavaScript after "just" 20 minutes of exploration, which was then validated by a human researcher in a virtualized environment to rule out the possibility of a false positive. "By the end of this effort, we had scanned nearly 6,000 C++ ...