Newsletter

WordPress Forces Security Updates for Critical REST API RCE

Version 7.0.2 also fixes a high-severity SQL injection flaw, with applicable patches backported to the 6.9 and 6.8 branches.

Retro editorial illustration of an automatic patch shield being fitted to a web server while remote-code and database attacks are blocked.
Lead imageRetro editorial illustration of an automatic patch shield being fitted to a web server while remote-code and database attacks are blocked.
On this page

WordPress released version 7.0.2 to fix CVE-2026-63030, a critical unauthenticated remote-code-execution vulnerability in the REST API, and CVE-2026-60137, a high-severity SQL injection flaw. Applicable fixes were backported to versions 6.9.5 and 6.8.6, and WordPress enabled forced automatic updates for affected installations.

Cloudflare deployed blocking WAF rules for proxied sites, including those on its free plan, but said the rules reduce exposure rather than patch the underlying software.

Featured source: Cloudflare , WordPress security release .

DHS Analysts Twice Dismissed Intrusion Alerts Before Credential Theft

Analysts twice classified suspicious activity inside the Homeland Security Information Network as false positives between May 15 and June 3, according to an internal incident readout reviewed by Nextgov/FCW. The intruders installed hidden backdoors and stole credential data on June 4; DHS says the affected environment was unclassified and remains operational, while attribution and the extent of any copied material remain unknown.

Filed from: TechRadar , Nextgov/FCW .

India Smartphone Shipments Fall 10% as Memory Costs Rise

India’s smartphone shipments fell 10% year over year in the April–June quarter, the steepest June-quarter decline in six years, according to Counterpoint Research. The firm estimated that shipments below ₹15,000 fell 45% as higher memory costs pushed up handset prices and lengthened replacement cycles.

Filed from: TechCrunch , Counterpoint Research .

San Francisco Demands Removal of 13 AI Nudify Apps

San Francisco City Attorney David Chiu sent cease-and-desist letters demanding that Apple and Google remove 13 apps capable of producing nonconsensual sexual deepfakes and stop processing related payments. Google said it suspended the five apps identified to it for violating Play policies; Apple had not publicly responded to the reporting.

Filed from: Ars Technica , San Francisco Chronicle .

First Three Operational FireSat Wildfire Satellites Reach Orbit

Earth Fire Alliance’s first three operational FireSat satellites launched on SpaceX’s Transporter-17 mission, beginning the constellation’s initial deployment. The multispectral spacecraft face about three months of testing before nominal operations, with the program targeting twice-daily data delivery to early-adopter fire agencies and scientists in the fourth quarter.

Filed from: Ars Technica , Earth Fire Alliance .

Patreon Begins Actively Blocking AI Training Crawlers

Patreon says it is using Cloudflare’s AI Crawl Control to block crawlers that collect creator work for model training instead of relying on robots.txt requests, while continuing to allow bots used for indexing and discovery. The company reported that weekly attempts from individual training crawlers fell from thousands to zero during testing, a measurement that does not establish how well the controls identify undisclosed or evasive bots.

Filed from: TechCrunch , Cloudflare documentation .

Barracuda Finds One Million Phishing Emails Using Hidden-Text Salting

Barracuda says it detected more than one million retail-themed phishing emails using text salting since April. The messages mix visible phishing copy with benign text concealed through CSS cropping, off-screen positioning, or zero-size fonts, which the security vendor says can distort classification by traditional filters and some machine-learning or LLM-based defenses.

Filed from: The Register , Barracuda .

FBI Arrests Man Accused in Malware-Laced Steam Game Scheme

Federal agents arrested 21-year-old Zyaire Wilkins after prosecutors alleged that he helped finance, obtain, and market malware embedded in video games. The complaint says the conspiracy infected about 8,000 devices, accessed roughly 80 cryptocurrency wallets, and stole at least $220,000; it does not name Steam, but its game titles overlap with an FBI request for victims of malware embedded in Steam games, and the allegations have not been proven in court.

Filed from: TechCrunch , FBI victim notice .

Meta Agents Generate 9.1 Billion Quarterly Requests on DataDome’s Network

DataDome measured 17.7 billion AI-agent requests across its network in the second quarter, up 45% from Q1, with Meta-ExternalAgent and Meta-WebIndexer producing 9.1 billion. The report covers more than 400 DataDome customers rather than the whole web, so its shares are not global traffic estimates.

Filed from: TechRadar , DataDome report .

AWS Billing Error Displays False Billion-Dollar Estimates

AWS acknowledged that a unit-pricing error in its estimated-billing computation system caused Cost Explorer and billing alerts to show grossly inflated figures. The company said the estimates did not reflect actual usage or charges and that it had mitigated the underlying issue while backfilling corrected data.

Filed from: The Register , AWS Health .

From the Community

Security researcher Christopher Childress disclosed that TP-Link Kasa Spot EC71 cameras returned precise GPS coordinates and hardware identifiers in response to an unauthenticated UDP packet on port 9999. The issue was assigned CVE-2026-13230 and patched in firmware 2.4.1; the report also documents fleet-wide RSA keys and unsalted MD5 credential storage.

Filed from: Research report .

Mozilla Publishes Its First State of Open Source AI Report

Mozilla’s first State of Open Source AI report says open-weight models handle a majority of production tokens on OpenRouter and cites a 3.3% capability gap to closed frontier models. The report also identifies five revenue models and says 89% of AI-enabled firms use open components; its framing reflects Mozilla’s open-source advocacy as well as the data it compiles.

Filed from: State of Open Source AI .

Kaiser Nurses Challenge AI-Backed Workplace Surveillance

Seven current and former Kaiser Permanente advice nurses told CalMatters that call-duration pressure and automated productivity monitoring can interfere with patient care; nurses also described a past pilot that rated empathy and tone. Kaiser said it does not use average handle time to assess performance and that its contact-center tools have human review and oversight, as contract negotiations begin with AI expected to be an issue.

Filed from: Local News Matters .

LG Monitors Trigger Software Installation Through Windows Update

Gamers Nexus reproduced reports that connecting certain LG monitors can cause Windows Update to install LG extension and software-component packages, followed by an LG application that promotes McAfee subscriptions without a prior consent prompt. The behavior appeared on both a new UltraGear 34GX900A-B and an older UltraFine 32UN880-B, while the promotion appeared during 31 of 32 consecutive boots in the test.

Filed from: VideoCardz , Gamers Nexus .

Topcoat Introduces a Server-Rendered Full-Stack Rust Framework

Topcoat is an experimental Rust framework for full-stack web applications that renders markup on the server, lets asynchronous components query databases without a separate API layer, and adds browser interactivity without a WebAssembly bundle or client build step. Its repository also includes optional route inference, asset bundling, and component re-rendering through shards, with breaking changes still expected.

Filed from: Topcoat repository .

Continue reading

Complete index →