Trending Topics

The Quiet Python Flaw BadHost is Putting AI Agents at Risk

A newly disclosed vulnerability, “BadHost,” is putting thousands of AI agents and inference servers at risk by allowing attackers to bypass authentication and access internal services that were never meant to be exposed to the internet. The flaw stems from how the popular Python ASGI framework Starlette handles the Host header, which many AI infrastructure projects rely on without adding their own strict checks. Researchers showed that by abusing this weak validation, an attacker can pivot through a public endpoint into admin panels, private OpenAI-compatible APIs, internal MCP servers, or vector databases that hold sensitive prompts and embeddings. BadHost matters because it breaks a core assumption in many modern AI architectures that simple hostname-based routing is enough to separate “external API” from “internal control plane”. Projects like vLLM and LiteLLM, as well as custom AI gateway services, often run multiple apps behind a single process and rely on the Host header to determine which app a request should reach. When that trust is misplaced, attackers can reach debug consoles, modify agent tools, change model backends, or even steal API keys and training data stored in backend services. Mitigation starts with upgrading Starlette and any dependent frameworks to patched versions, enforcing an explicit allow list of Host values at the reverse proxy, and segmenting sensitive AI agent components onto separate listeners or networks rather than relying solely on virtual hosts. For teams deploying AI agents or inference servers in production, BadHost is a wake-up call to treat “plumbing” frameworks like Starlette as part of the security boundary, not just a convenience layer, and to revisit how your stack validates every request that reaches your models.

BTMOB Malware Turns Android Hacking Into Point and Click Crime

The BTMOB malware family is a powerful Android remote access trojan that gives cybercriminals full control over infected phones, and it is being aggressively marketed as a ready-to-use toolkit rather than a niche hacker toy. Originally derived from the SpySolr strain, BTMOB combines classic spyware features like keylogging, screen capture, and file theft with real-time remote control, web injection, and live screen streaming, allowing attackers to watch everything victims do on their devices to hijack banking sessions or drain crypto wallets. What makes BTMOB especially dangerous is its no-code builder interface; even low-skilled actors can generate custom malicious APKs, disguise them as local banking, streaming, or government apps, and tailor phishing lures to specific countries or brands without writing a single line of code. Campaigns spotted in the wild show BTMOB operators driving victims to fake app stores and phishing pages that mimic Google Play, government portals, or well-known services like Starlink or WhatsApp, then pushing them to sideload trojanized apps that immediately request powerful Android permissions, including Accessibility Services, and install unknown apps. Once granted, those permissions let BTMOB silently grant itself further access, overlay fake login forms on top of legitimate banking apps, capture one-time codes, track geolocation, and send attacker-scripted taps to complete fraudulent transactions in the background. Defenders and users are not powerless, though; sticking to official app stores, treating unsolicited links and APKs with suspicion, reviewing high-risk permissions, and deploying reputable mobile security tools can sharply reduce the risk that a single rogue download turns a personal phone into a persistent spying device that also endangers corporate data.

New Gitea Bugs Put Private Repositories And Organizations In The Spotlight

Recent security fixes in Gitea have highlighted how subtle authorization flaws can quietly expose private repository data and cross-organization projects if instances are not quickly updated. At the center of the latest advisory is CVE-2026-20912, a high-severity issue in which Gitea did not properly validate repository ownership when linking attachments to releases, allowing a file uploaded to a private repository to be attached to a release in a public repository and suddenly become visible to anyone with access to the public project. Alongside that, bugs like CVE-2026-20750 and CVE-2026-20736 showed similar broken ownership checks in organization project operations and attachment deletion, allowing users with write access in one organization, or to one repository, to tamper with projects or files belonging to another organization or repo they should not control. Developers and admins who treat Gitea as a safe home for internal code now have a clear lesson: private cannot just be a checkbox in the user interface; the platform needs to enforce context and ownership at every API boundary. The collection of issues disclosed in 2026, including CVE-2026-20883 and CVE-2026-20800, that let revoked users keep seeing private repository names, issue titles, and pull request details through stopwatches or old notifications, shows how easy it is for stale references to leak sensitive metadata even after access should have been shut off. Gitea has patched these flaws, so the immediate priority is to upgrade to the latest supported release, review audit logs for unusual cross-repository or cross-organization actions, and consider hardening the instance configuration to minimize the scope of write access and project administration rights. For self-hosted shops in particular, this is a good moment to pair Gitea upgrades with a wider access review so that a single overlooked permission does not quietly turn a “private” repository into a window into your internal roadmap and security posture.

New SharePoint RCE Bug Proves On-Prem Is Still A Big Target

Microsoft SharePoint Server is back in the spotlight with a new critical remote code execution flaw, CVE-2025-53770, that lets unauthenticated attackers run arbitrary code on vulnerable on-prem servers by abusing unsafe deserialization of untrusted data. The bug affects all supported on-premises SharePoint editions and has already been used in real-world attacks, in which threat actors sent crafted HTTP POST requests to exposed endpoints such as ToolPane[.]aspx to drop web shells, steal credentials, and pivot deeper into victim environments. Microsoft has shipped emergency patches and clarified that SharePoint Online in Microsoft 365 is not impacted, but organizations running their own servers must urgently apply updates, since this flaw also bypasses earlier fixes for similar bugs, effectively reopening a door many defenders thought was closed. Security agencies and vendors are warning that patching alone is not enough this time, because attackers may have already stolen cryptographic material. Defenders also need to rotate ASP[.]NET machine keys, restart IIS, and aggressively hunt for signs of compromise, such as unexpected ASPX files, suspicious changes in the LAYOUTS directory, or odd ToolPane.aspx traffic in logs. For unpatched or unsupported deployments, short-term containment steps include disconnecting internet-facing SharePoint servers, tightening firewall rules and forcing access through VPNs until updates can be safely applied. If you still depend on on-prem SharePoint, you need a disciplined patching process, AMSI-integrated anti-malware like Microsoft Defender for Endpoint, and regular key rotation, or you risk having your collaboration server quietly turned into a persistent foothold for attackers.

Update: CISA Sounds Alarm On LiteSpeed cPanel Plugin 0-day Under Active Exploitation

A critical 0-day in the LiteSpeed User-End cPanel Plugin, tracked as CVE-2026-48172, is being actively exploited to gain root-level access on unpatched hosting servers. The flaw affects plugin versions 2.3 through 2.4.4 and stems from how the Redis enable/disable functionality handles JSON API requests, allowing a low-privileged cPanel user to escalate to root and run arbitrary commands on the underlying system. In shared hosting environments, this breaks isolation between tenants, since the compromise of a single cPanel account can lead to a full server takeover and the exposure of every site and workload hosted on that machine. CISA has added CVE-2026-48172 to its KEV catalog and ordered federal agencies to patch or remove the vulnerable plugin by May 29, underscoring the severity of the issue. LiteSpeed has released fixes in the user-end plugin version 2.4.7 and the WHM plugin version 5.3.1.0. Both the vendor and CISA are urging administrators to either upgrade immediately or completely uninstall the affected plugin if patching is not possible. Server owners are advised to search their cPanel logs for the string cpanel_jsonapi_func=redisAble, review any matching IP addresses, investigate suspicious activity, and tighten network access to cPanel interfaces to reduce their attack surface. For anyone running LiteSpeed in a shared hosting stack, this is the moment to treat plugin hygiene as a priority, because a single overlooked extension now represents a direct path from a basic user account to full root compromise.