Posted on AI Infrastructure Risk Identity & Governance Incidents & Breaches Vulnerability Intelligence

Taiwan CERT warns of two local privilege escalation flaws in AVACAST for Windows (CVE-2026-7279, CVE-2026-7280)

TWCERT/CC published a Taiwan Vulnerability Note (TVN-202604011) detailing two vulnerabilities affecting Herlin Digital Technology’s AVACAST for Windows versions 5.10.10.43 and earlier. The issues—DLL hijacking (CVE-2026-7279, CVSS 7.8 High) and an unquoted service path (CVE-2026-7280, CVSS 6.7 Medium)—could allow authenticated local attackers (and in the second case, a local admin) to execute code with SYSTEM privileges. TWCERT/CC recommends updating to AVACAST 5.10.10.45 or later. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Vulnerability Intelligence

Taiwan CERT warns of critical unauthenticated API flaw in GCB/FCB government-finance security audit software (CVE-2026-4312)

TWCERT/CC disclosed a critical “Missing Authentication” vulnerability in Chunghwa Long Network’s GCB/FCB government/financial cybersecurity configuration audit software. The issue allows a remote, unauthenticated attacker to use an API function to create a new administrator-privileged account. Affected deployments are versions prior to 20260108; users are advised to upgrade to 20260108 or later. Read more

Posted on AI Security Cloud Security Incidents & Breaches Vulnerability Intelligence

Microsoft May 2026 Patch Tuesday: 137 Microsoft CVEs disclosed; 13 flagged as likely exploitation targets

Microsoft’s May 12, 2026 Patch Tuesday release disclosed 137 CVEs across Microsoft products (down from 165 the prior month, per iThome). Including third‑party component fixes Microsoft shipped, the total reaches 265 vulnerabilities. iThome highlights 13 vulnerabilities Microsoft assessed as more likely to be targeted by attackers; most are elevation-of-privilege issues across Windows components, plus two Word remote code execution bugs. Four of the 13 are rated Critical, and the highest CVSS score called out is 9.1 for a Microsoft Single Sign-On (SSO) plugin used with Jira and Confluence. Read more

Posted on AI Security Cloud Security Identity & Governance Vulnerability Intelligence

Claude Chrome Extension Vulnerability Permits Unauthorized AI Hijacking

Security researchers at LayerX have identified a design flaw dubbed 'ClaudeBleed' in the Claude in Chrome extension. The vulnerability allows malicious extensions with zero permissions to inject commands and hijack the Claude AI agent, potentially leading to unauthorized data exfiltration and sensitive cross-site operations. Read more

Posted on AI Infrastructure Risk Identity & Governance Incidents & Breaches Vulnerability Intelligence

Dual High-Severity Vulnerabilities Identified in SunNet Corporate Training and Performance Management Systems

Taiwan's TWCERT/CC has disclosed two high-severity security vulnerabilities affecting SunNet's Corporate Training Management System (CTMS) and Corporate Appraisal Performance System (CAPS). These flaws include a SQL injection vulnerability and an arbitrary file upload weakness that could lead to full system compromise. Read more

Posted on AI Infrastructure Risk Cloud Security Identity & Governance Vulnerability Intelligence

Taiwan CERT warns of two high-severity flaws in Galaxia Info’s Vitals ESP (≤ 6.3)

TWCERT/CC published a Taiwan Vulnerability Note (TVN-202603007) describing two high-severity vulnerabilities affecting Galaxia Information’s Vitals ESP up to and including version 6.3. One issue could allow an authenticated remote attacker to perform some admin functions and escalate privileges (CVE-2026-4639, CVSS 8.8). The other could allow an unauthenticated remote attacker to access some functions and obtain sensitive information (CVE-2026-4640, CVSS 7.5). TWCERT/CC advises customers to contact the vendor for a patch. Read more

Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

Taiwan CERT warns of two medium-severity a+HRD flaws enabling authenticated database read via SQL injection and missing authorization

TWCERT/CC published a Taiwan Vulnerability Note (TVN-202604004) for two vulnerabilities affecting Yuqi Digital Technology’s a+HRD product in versions 7.1 and earlier. The issues—SQL injection (CVE-2026-6833) and missing authorization (CVE-2026-6834)—could allow an authenticated remote attacker to read database contents. TWCERT/CC advises upgrading to a patched release referenced by the vendor’s security notice. Read more

Posted on AI Infrastructure Risk Identity & Governance Vulnerability Intelligence

Taiwan CERT warns of high-severity arbitrary file write in Gigabyte Control Center (CVE-2026-4415)

TWCERT/CC published a Taiwan Vulnerability Note for a high-severity arbitrary file write flaw in Gigabyte Control Center. The advisory says that when the product’s pairing function is enabled, an unauthenticated remote attacker could write arbitrary files to any OS path, potentially enabling code execution or privilege escalation. Gigabyte Control Center versions up to 25.07.21.01 are listed as affected, and upgrading to 25.12.10.01 or later is recommended. Read more