Google credits security researcher Shaheen Fazim with reporting the exploit to Google. The dude's LinkedIn says he's a professional bug hunter, and I'd say he deserves the highest possible bug bounty for finding something that a government agency is saying "in CSS in Google Chrome before 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page."
Ivanti on Thursday announced emergency patches for two critical-severity vulnerabilities in Endpoint Manager Mobile (EPMM) that have been exploited in the wild as zero-days. Tracked as CVE-2026-1281 and CVE-2026-1340 (CVSS score of 9.8), the bugs are described as code injection issues that could be exploited by unauthenticated attackers to achieve remote code execution (RCE). The flaws impact the in-house application distribution and the Android file transfer configuration features of EPMM.
The vulnerability, tracked as CVE-2026-24423, carries a CVSS score of 9.3 out of 10.0. "SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method," according to a description of the flaw in CVE.org. "The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS [operating system] command. This command will be executed by the vulnerable application."
The issue sits in the management interface's HTTP handling and can be triggered without logging in. "This vulnerability is due to improper validation of user-supplied input in HTTP requests," Cisco explains in its advisory. "An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device." Given how often those interfaces are reachable over internal networks or VPNs, it's not hard to see why attackers have noticed.
Cloudflare has fixed a flaw in its web application firewall (WAF) that allowed attackers to bypass security rules and directly access origin servers, which could lead to data theft or full server takeover. FearsOff security researchers reported the bug in October through Cloudflare's bug bounty program, and the CDN says it has patched the vulnerability in its ACME (Automatic Certificate Management Environment) validation logic with no action required from its customers.
The update includes the November 2025 security patch level. The changelog mentions faster app launches from the Home screen, customizable widget names, the ability to resize the clock in Flux themes, widgets being draggable onto other widgets to stack them, automatic straightening being available when cropping and rotating portrait and architectural images in Photos, videos can be set as ringtones, improved virus scanning speed,
The vulnerability has been identified in ASP.NET Core versions 10.0, 9.0, 8.0, and the Kestrel package for 2.x. An attacker who is already authorized can bypass a security feature by exploiting inconsistent parsing of HTTP requests and responses. Microsoft states there are no known mitigating factors for the HTTP request/response smuggling scenario and strongly recommends patching to the listed fixed versions to prevent the security bypass.
Xiaomi recently rolled out the Android 16-based HyperOS 3 stable update for the Xiaomi 15T and 15T Pro's global units, and now it's the non-T model that's getting upgraded to HyperOS 3. The HyperOS 3 stable update for the global Xiaomi 15 is currently rolling out in some European countries for Mi Pilot members, but the rollout should expand to more regions soon.
SAP issued a patch for the 9.9-rated flaw in August. It is tracked as CVE-2025-42957, and it affects both private cloud and on-premises versions. According to SecurityBridge Threat Research Labs, which originally spotted and disclosed the vulnerability to SAP, the team "verified actual abuse of this vulnerability." It doesn't appear to be widespread (yet), but the consequences of this flaw are especially severe.
