Trending Topics

The Quiet Python Flaw BadHost is Putting AI Agents at Risk

A newly disclosed vulnerability called "BadHost" is putting thousands of AI agents and inference servers at risk by allowing attackers to bypass authentication and reach internal services that were never meant to be exposed to the internet. The flaw stems from how the popular Python ASGI framework Starlette handles the Host header - a component many AI infrastructure projects rely on without adding their own strict validation.

Researchers demonstrated that by abusing this weak validation, an attacker can pivot through a public endpoint into admin panels, private OpenAI-compatible APIs, internal MCP servers, or vector databases holding sensitive prompts and embeddings.

BadHost breaks a core assumption in many modern AI architectures: that simple hostname-based routing is sufficient to separate an external API from an internal control plane. Projects like vLLM and LiteLLM, along with custom AI gateway services, often run multiple applications behind a single process and rely on the Host header to route requests to the correct app. When that trust is misplaced, attackers can reach debug consoles, modify agent tools, swap model backends, or steal API keys and training data stored in backend services.

Mitigation starts with upgrading Starlette and any dependent frameworks to patched versions, enforcing an explicit allowlist of Host values at the reverse proxy, and segmenting sensitive AI agent components onto separate listeners or networks rather than relying on virtual host separation alone.

For teams deploying AI agents or inference servers in production, BadHost is a concrete reminder to treat "plumbing" frameworks like Starlette as part of the security boundary - not just a convenience layer - and to revisit how your stack validates every request that reaches your models.

BTMOB Malware Turns Android Hacking Into Point and Click Crime

The BTMOB malware family is a powerful Android remote access trojan giving cybercriminals full control over infected phones - and it is being aggressively marketed as a ready-to-use toolkit rather than a niche hacker toy. Originally derived from the SpySolr strain, BTMOB combines classic spyware features like keylogging, screen capture, and file theft with real-time remote control, web injection, and live screen streaming. Attackers can watch everything a victim does on their device, then use that access to hijack banking sessions or drain crypto wallets.

What makes BTMOB particularly dangerous is its no-code builder interface. Even low-skilled actors can generate custom malicious APKs, disguise them as local banking, streaming, or government apps, and tailor phishing lures to specific countries or brands without writing a single line of code.

Campaigns spotted in the wild show BTMOB operators directing victims to fake app stores and phishing pages that mimic Google Play, government portals, or well-known services like Starlink and WhatsApp, then pressuring them to sideload trojanized apps that immediately request powerful Android permissions - including Accessibility Services and the ability to install unknown apps. Once granted, those permissions let BTMOB silently expand its own access, overlay fake login forms on top of legitimate banking apps, capture one-time codes, track geolocation, and execute attacker-scripted taps to complete fraudulent transactions in the background.

Defenders and users are not powerless. Sticking to official app stores, treating unsolicited links and APKs with suspicion, reviewing high-risk permission requests carefully, and deploying reputable mobile security tools can sharply reduce the risk that a single rogue download turns a personal phone into a persistent spying device - one that also puts corporate data within reach.

New Gitea Bugs Put Private Repositories And Organizations In The Spotlight

Recent security fixes in Gitea highlight how subtle authorization flaws can quietly expose private repository data and cross-organization projects when instances are not promptly updated. At the center of the latest advisory is CVE-2026-20912, a high-severity issue in which Gitea failed to properly validate repository ownership when linking attachments to releases. A file uploaded to a private repository could be attached to a release in a public repository and immediately become visible to anyone with access to the public project.

Related bugs CVE-2026-20750 and CVE-2026-20736 showed similar broken ownership checks in organization project operations and attachment deletion, allowing users with write access in one organization or repository to tamper with projects or files belonging to a different organization or repo they should not control.

The pattern across these disclosures carries a clear lesson for developers and admins who treat Gitea as a safe home for internal code: "private" cannot just be a checkbox in the user interface. The platform needs to enforce context and ownership at every API boundary. Additional issues disclosed in 2026 - including CVE-2026-20883 and CVE-2026-20800, which allowed revoked users to continue seeing private repository names, issue titles, and pull request details through stopwatches or stale notifications - show how easily old references leak sensitive metadata even after access should have been shut off.

Gitea has patched these flaws. The immediate priority is upgrading to the latest supported release, reviewing audit logs for unusual cross-repository or cross-organization actions, and hardening instance configuration to minimize the scope of write access and project administration rights.

For self-hosted teams in particular, this is a good moment to pair the Gitea upgrade with a broader access review. A single overlooked permission is all it takes to quietly turn a "private" repository into a window into your internal roadmap and security posture.

New SharePoint RCE Bug Proves On-Prem Is Still A Big Target

Microsoft SharePoint Server has a new critical remote code execution vulnerability -  CVE-2026-45659 - that lets unauthenticated attackers run arbitrary code on vulnerable on-premise servers by abusing unsafe deserialization of untrusted data. The bug affects all supported on-premises SharePoint editions and has already been used in real-world attacks, where threat actors sent crafted HTTP POST requests to exposed endpoints such as ToolPane.aspx to drop web shells, steal credentials, and pivot deeper into victim environments.

Microsoft has shipped emergency patches and confirmed that SharePoint Online in Microsoft 365 is not affected. Organizations running their own servers need to apply updates urgently. This flaw also bypasses earlier fixes for similar vulnerabilities, effectively reopening a door many defenders believed was closed.

Patching alone is not sufficient this time. Security agencies and vendors are warning that attackers may have already stolen cryptographic material from vulnerable systems. Defenders also need to rotate ASP.NET machine keys, restart IIS, and hunt for signs of compromise - including unexpected ASPX files, suspicious changes in the LAYOUTS directory, and unusual ToolPane.aspx traffic in logs.

For unpatched or unsupported deployments, short-term containment means disconnecting internet-facing SharePoint servers, tightening firewall rules, and routing access through VPNs until updates can be safely applied.

If you still depend on on-premise SharePoint, a disciplined patching process, AMSI-integrated anti-malware like Microsoft Defender for Endpoint, and regular key rotation are not optional extras. Without them, your collaboration server is a persistent foothold waiting to be claimed.

Update: CISA Sounds Alarm On LiteSpeed cPanel Plugin 0-day Under Active Exploitation

A critical zero-day in the LiteSpeed User-End cPanel Plugin, tracked as CVE-2026-48172, is being actively exploited to gain root-level access on unpatched hosting servers. The flaw affects plugin versions 2.3 through 2.4.4 and stems from how the Redis enable/disable functionality handles JSON API requests, allowing a low-privileged cPanel user to escalate to root and run arbitrary commands on the underlying system.

In shared hosting environments, the impact extends well beyond the compromised account. A single cPanel user gaining root access breaks tenant isolation entirely, exposing every site and workload hosted on that machine.

CISA has added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch or remove the vulnerable plugin by May 29. LiteSpeed has released fixes in user-end plugin version 2.4.7 and WHM plugin version 5.3.1.0. Both the vendor and CISA are directing administrators to upgrade immediately - or uninstall the affected plugin entirely if patching is not possible.

Server owners should search cPanel logs for the string cpanel_jsonapi_func=redisAble, review any matching IP addresses, investigate suspicious activity around those events, and tighten network access to cPanel interfaces to reduce the attack surface going forward.

For anyone running LiteSpeed in a shared hosting stack, this is a clear signal to treat plugin hygiene as a first-class security concern. A single overlooked extension now represents a direct path from a basic user account to full root compromise.