Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

While the world worries about "jailbreaking" LLMs or preventing them from hallucinating, a critical new vulnerability has just reminded us of a fundamental truth: AI is just software, and software has bugs. A newly discovered critical flaw (CVE-2025-62164) in vLLM, one of the most popular libraries for serving large language models, allows attackers to achieve Remote Code Execution (RCE) or crash servers simply by sending a malicious API request. This isn't a failure of the AI model.

JFrog continues to track and provide updates on React2Shell at research.jfrog.com.

Part of the process of achieving ISO 27001 certification is creating the fundamental documents necessary to outline and prove your security. One of those fundamental documents is the SoA, or Statement of Applicability. The statement of applicability is a rundown of all of the ISO 27001 security controls, and a discussion of whether or not that control applies to your business.

The modern JavaScript ecosystem was shaken this week as Meta, Vercel, Google Cloud, AWS, and leading security researchers revealed two critical issues: CVE-2025-55182 and the downstream Next.js variant CVE-2025-66478. Both are rated CVSS 10 and allow remote code execution (RCE) by exploiting weaknesses in the React Server Components (RSC) “Flight” protocol. The vulnerabilities affect React 19 and all major frameworks embedding the RSC implementation, most notably Next.js 15.x and 16.x.

KnowBe4 is proud to announce that three of its leading security products — Security Awareness Training, PhishER/PhishER Plus and Compliance Plus — have been recognized as 2026 Buyer's Choice award winners by TrustRadius, a HG Insights company and buyer intelligence platform for business technology.

Researchers at Palo Alto Networks’ Unit 42 are tracking two new malicious AI tools, WormGPT 4 and KawaiiGPT, that allow threat actors to craft phishing lures and generate ransomware code. These tools are criminal alternatives to mainstream AI tools like ChatGPT, with no safety guardrails to prevent users from using them for malicious activities. The latest version of WormGPT offers lifetime access for $220, or a monthly fee of $50.

As organizations grow, so does the complexity of managing who has access to which apps and systems. For Atlassian teams, Jira and Jira Service Management (JSM) often serve as the central hub for operational workflows, yet access governance is still handled through scattered emails, manual approvals, or outdated processes. Access governance, simply put, is the system of ensuring that the right individuals receive the correct level of access at the right time.

Secrets don’t belong in plaintext. GitGuardian's Push-to-Vault automates vaulting exposed secrets, helping security teams scale governance and reduce incident fatigue.

Six months ago, we encountered a problem with no clear solution. We were building an AI agent inside a startup. When customer conversations were flowing in, we started looking for privacy tools that could keep up. Everything we found fell into one of three buckets: Somewhere in the middle of this, we caught ourselves looking for a simple, affordable way to mask data before it hits AI systems.

Cybersecurity in 2026 is entering its most transformative and volatile phase yet. For CISOs, the landscape is no longer defined only by web, network, and cloud threats. Instead, attackers now target AI/LLM systems, APIs, identity platforms, SaaS ecosystems and supply chains. The surge in attacks across applications, APIs, and GenAI systems indicates that adversaries are scaling faster, using automation, AI-assisted exploitation, and new social engineering vectors.