Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

CVE-2026-20960: Microsoft Power Apps Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

Microsoft Security Response Center
Open in Source
#vulnerability#microsoft#rce#auth#Microsoft Power Apps#Security Vulnerability
AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability has been codenamed CodeBreach by cloud security company Wiz. The issue was fixed by AWS in September 2025 following responsible disclosure on

Predicting 2026

In this week’s newsletter, Martin examines the evolving landscape for 2026, highlighting key threats, emerging trends like AI-driven risks, and the continued importance of addressing familiar vulnerabilities.

GhostPoster Browser Malware Hid for 5 Years With 840,000 Installs

Researchers uncover a 5-year malware campaign using browser extensions on Chrome, Firefox and Edge, relying on hidden payloads and shared infrastructure.

Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot

Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence (AI) chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls entirely. "Only a single click on a legitimate Microsoft link is required to compromise victims," Varonis security

“Reprompt” attack lets attackers steal data from Microsoft Copilot

Researchers uncovered a way to steal data from Microsoft Copilot users with a single malicious link.

Model Security Is the Wrong Frame – The Real Risk Is Workflow Security

As AI copilots and assistants become embedded in daily work, security teams are still focused on protecting the models themselves. But recent incidents suggest the bigger risk lies elsewhere: in the workflows that surround those models. Two Chrome extensions posing as AI helpers were recently caught stealing ChatGPT and DeepSeek chat data from over 900,000 users. Separately, researchers

Microsoft Legal Action Disrupts RedVDS Cybercrime Infrastructure Used for Online Fraud

Microsoft on Wednesday announced that it has taken a "coordinated legal action" in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses. The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that has allowed it to confiscate the malicious

Microsoft Disrupts Cybercrime Service RedVDS

RedVDS, a cybercrime-as-a-service operation that has stolen millions from victims, lost two domains to a law enforcement operation.

New China Linked VoidLink Linux Malware Targets Major Cloud Providers

Researchers have discovered VoidLink, a sophisticated new Linux malware framework designed to infiltrate AWS, Google Cloud, and Azure. Learn how this Chinese-affiliated toolkit uses adaptive stealth to stay hidden.