Cybersecurity
PeopleSoft 0-Day Bleeds Universities as ShinyHunters Cashes In
A 9.8-severity SSRF in Oracle PeopleSoft handed ShinyHunters two weeks of unmonitored access, 300 endpoints, and a 48GB haul from a single victim. Universities took the worst of it.
SoFi Confirms Hong Kong Breach via Third-Party Vendor
SoFi Hong Kong discovered a third-party vendor breach on April 30, 2026. The vendor stays anonymous, the scope is unknown, and customers are left refreshing their inboxes.
PAN-OS CVE-2026-0257 Exploited: GlobalProtect VPN Bypass Hits Wild
A medium-severity PAN-OS bug is now CISA KEV-listed, actively exploited, and has a public PoC. The unit economics of patch delay just got ugly.
Gitea Registry Bug Leaks Private Images for Four Years
A four-year-old auth bypass in Gitea's container registry lets anyone pull private images from 31,750 exposed instances. Patch is in 1.26.2. Move now.
77% Updated Cloud Security for AI, Only 26% Can Enforce It
Check Point's 2026 report shows a 51-point gap between organizations that updated cloud security for AI (77%) and those whose architecture can actually enforce it (26%).
Zero-Day Clock Says Exploit Window Is Now 24 Hours
The Zero-Day Clock pegs mean time from disclosure to exploitation at just over a day, down from a year in 2021. The 90-day patch cycle is dead.
KnowledgeDeliver Zero-Day Exposes 100% Shared-Key LMS Footprint
Every KnowledgeDeliver deployment shipped before Feb 24, 2026 carried the same hardcoded ASP.NET machineKey. One leaked secret, one ViewState payload, full RCE. Here's what that means.







