A medium-severity PAN-OS bug is now CISA KEV-listed, actively exploited, and has a public PoC. The unit economics of patch delay just got ugly.
A four-year-old auth bypass in Gitea's container registry lets anyone pull private images from 31,750 exposed instances. Patch is in 1.26.2. Move now.
Check Point's 2026 report shows a 51-point gap between organizations that updated cloud security for AI (77%) and those whose architecture can actually enforce it (26%).
The Zero-Day Clock pegs mean time from disclosure to exploitation at just over a day, down from a year in 2021. The 90-day patch cycle is dead.
Every KnowledgeDeliver deployment shipped before Feb 24, 2026 carried the same hardcoded ASP.NET machineKey. One leaked secret, one ViewState payload, full RCE. Here's what that means.
The Verizon 2026 DBIR shows vulnerability exploitation has overtaken credential abuse as the top initial access vector. Patching is now a capacity problem, not a discipline one.
Anthropic's Claude Mythos Preview found 10,000+ zero-days in a month. Only 97 are patched. The 90-day disclosure window just stopped making sense.
