TL;DR: CVE-2026-45247 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Mirasvit Full Page Cache Warmer for Magento 2. The flaw stems from unsafe PHP deserialization of attacker-controlled data supplied through the CacheWarmer cookie. Successful exploitation can allow attackers to execute arbitrary commands on vulnerable Magento and Adobe Commerce ... Read More

TL;DR: CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core that can be exploited by unauthenticated users against Drupal sites using PostgreSQL. The vulnerability affects Drupal’s database abstraction API and can allow specially crafted requests to trigger arbitrary SQL injection, potentially leading to information disclosure, privilege escalation, remote ... Read More

TL;DR: Researchers recently disclosed CVE-2026-42945, a critical heap-based buffer overflow vulnerability affecting both NGINX Open Source and NGINX Plus. The flaw exists within the ngx_http_rewrite_module component and can allow unauthenticated attackers to trigger denial-of-service conditions and potentially achieve remote code execution (RCE) using specially crafted HTTP requests. Imperva Threat Research ... Read More

TL;DR: A newly disclosed denial-of-service vulnerability, CVE-2026-23870, impacts React Server Components and dependent frameworks, including Next.js App Router deployments. The flaw enables unauthenticated attackers to send specially crafted HTTP requests that trigger excessive CPU consumption during request deserialization, leading to potential service degradation or total unavailability. Imperva Threat Research Group has ... Read More

What is CVE-2026-41940? CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM, including DNSOnly, in versions after 11.40. The flaw, discovered by WatchTowr Labs, exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to the control panel. The vulnerability carries a CVSS 3.1 ... Read More

What Is CVE-2026-21962? CVE-2026-21962 is a critical (CVSS 10.0) vulnerability in the Oracle HTTP Server and the WebLogic Server Proxy Plug-in for Apache HTTP Server and Microsoft IIS. An unauthenticated attacker with HTTP access can exploit this flaw by sending crafted requests to the affected proxy components and bypass security ... Read More

Holiday shopping season is in full swing, and Black Friday 2025 continued to demonstrate that consumer demand and attacker activity shows no signs of slowing. According to Adobe Analytics, U.S. consumers spent $11.8 billion online on Black Friday, setting a new record and highlighting sustained strength in online shopping. Yet ... Read More

When high-stakes events meet unprecedented attack volumes, disruption can be devastating. A Turkish luxury retail platform experienced this firsthand when it was hit with a record-breaking application-layer DDoS attack, peaking at 14.2 million requests per second (RPS). This marks the largest DDoS attack Imperva has observed to date. The timing ... Read More

TL;DR: In early October 2025, Oracle released an emergency security alert addressing CVE-2025-61882, a high-severity unauthenticated remote code execution (RCE) vulnerability in the Concurrent Processing / BI Publisher Integration component of Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14. Multiple threat actors (most prominently Cl0p and related groups) are already ... Read More

This weekend is World Tourism Day, a celebration of the global travel industry and the cultural, economic, and social connections it fosters. However, as the tourism industry continues to grow and evolve, it faces an increasing array of cybersecurity threats. From data breaches targeting personal traveler information, like the 6 ... Read More