Vulnerability | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The vulnerability, Miggo Security's Head of Research, Liad Eliyahu, said, made it possible to circumvent Google Calendar's privacy controls by hiding a dormant malicious payload within a standard calendar invite. "This bypass enabled unauthorized access to private meeting data and the creation of deceptive calendar events without any direct user interaction," Eliyahu said in a report shared with The Hacker News. The starting point of the attack chain is a new calendar event that's crafted by the threat actor and sent to a target. The invite's description embeds a natural language prompt that's designed to do their bidding, resulting in a prompt injection. The attack gets activated when a user asks Gemini a completely inno...

A team of academics from the CISPA Helmholtz Center for Information Security in Germany has disclosed the details of a new hardware vulnerability affecting AMD processors. The security flaw, codenamed StackWarp , can allow bad actors with privileged control over a host server to run malicious code within confidential virtual machines (CVMs), undermining the integrity guarantees provided by AMD Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ). It impacts AMD Zen 1 through Zen 5 processors. "In the context of SEV-SNP, this flaw allows malicious VM [virtual machine] hosts to manipulate the guest VM's stack pointer ," researchers Ruiyi Zhang, Tristan Hornetz, Daniel Weber, Fabian Thomas, and Michael Schwarz said . "This enables hijacking of both control and data flow, allowing an attacker to achieve remote code execution and privilege escalation inside a confidential VM." AMD, which is tracking the vulnerability as CVE-2025-29943 (CVSS v4 ...

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686. The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance. However, for the attack to work, three conditions must be met - The appliance is running a vulnerable release of Cisco AsyncOS Software The appliance is configured with the Spam Quarantine feature The Spam Quarantine feature is exposed to and reachable from the internet L...

A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability has been codenamed CodeBreach by cloud security company Wiz. The issue was fixed by AWS in September 2025 following responsible disclosure on August 25, 2025. "By exploiting CodeBreach, attackers could have injected malicious code to launch a platform-wide compromise, potentially affecting not just the countless applications depending on the SDK, but the Console itself, threatening every AWS account," researchers Yuval Avrahami and Nir Ohfeld said in a report shared with The Hacker News. The flaw, Wiz noted, is the result of a weakness in the continuous integration (CI) pipelines that could have enabled unauthenticated attackers to breach the build environment, leak privileged credentials like GitHub admin tokens, and...

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2 . The plugin has more than 40,000 active installs. "In versions 2.5.1 and below, the plugin is vulnerable to privilege escalation, due to a combination of factors including direct route selection, bypassing of authentication mechanisms, and auto-login as admin," Patchstack said . The problem is rooted in its routing mechanism, which is designed to put certain sensitive routes behind an authentication barrier. The plugin exposes its routes under the "/api/modular-connector/" prefix. However, it has been found that this security layer can be bypassed every time the "direct reques...