Introduction When PTC’s Windchill software was hit by a CVSS 9.3 critical vulnerability in June 2026 — one actively exploited to plant webshells on manufacturing and engineering systems — the root cause was not a novel attack technique. It was insecure deserialization. The same class of vulnerability that hit Apache Struts, Oracle WebLogic, and Java-based … Read more
Introduction On June 23, 2026, researchers disclosed CVE-2026-55200 — a CVSS 9.2 remote code execution vulnerability in libssh2, the SSH library embedded in curl, PHP, Python, Ruby, and hundreds of other applications that handle SSH connections in production software. The vulnerability requires no authentication, no privileges, and no user interaction. An attacker who can cause … Read more
Introduction On June 23, 2026, security researchers at Calif Security Research published their analysis of CVE-2026-47729 — a heap buffer overread vulnerability in Squid Proxy that had been present in the codebase since a commit in January 1997. They named it Squidbleed. The vulnerability is real, the affected deployment surface is large, and the discovery … Read more
Introduction For most of the past two decades, the security industry operated on an implicit assumption: defenders had time. A vulnerability would be discovered, a CVE would be published, a patch would ship, and enterprises would deploy it — imperfectly, slowly, but eventually. The attacker’s window existed, but it was measured in weeks or months. … Read more