CyberNews: 21/01/2026 Edition

Published by Dunateo on 2026-01-21

Today’s roundup

  • Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026
  • ACF plugin bug gives hackers admin on 50,000 WordPress sites
  • Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs
  • CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution
  • LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords
  • Hackers target Afghan government workers with fake correspondence from senior officials
  • 'CrashFix' Scam Crashes Browsers, Delivers Malware
  • AI-supported vulnerability triage with the GitHub Security Lab Taskflow Agent
  • Experts Welcome Global Cybersecurity Vulnerability Enumeration Launch

    • Summary

    Security researchers successfully exploited 37 zero-day vulnerabilities in the Tesla Infotainment System during the Pwn2Own Automotive 2026 competition, earning $516,500. This marks a significant compromise of a major automotive brand's systems.

    A critical-severity vulnerability has been discovered in the Advanced Custom Fields: Extended (ACF Extended) plugin for WordPress. This flaw allows unauthenticated remote attackers to obtain administrative permissions on an estimated 50,000 WordPress sites.

    High-severity security vulnerabilities, collectively named "ChainLeak," have been uncovered in the popular open-source artificial intelligence (AI) framework Chainlit. These flaws could enable attackers to steal sensitive data, including cloud environment API keys and files, and facilitate server-side request forgery (SSRF) attacks, potentially leading to lateral movement within affected organizations.

    CERT/CC has issued a warning regarding a security vulnerability, CVE-2026-1245, in the widely used binary-parser npm library. This flaw, affecting all versions prior to 2.3.0, could result in privilege-level arbitrary JavaScript code execution in Node.js environments. Patches for the issue were released on November 26, 2025.

    LastPass is currently alerting its users to an active phishing campaign that impersonates the password management service. The campaign, which commenced around January 19, 2026, utilizes fake maintenance emails to trick users into creating local backups and subsequently surrendering their master passwords.

    Hackers are targeting Afghan government employees through a phishing campaign that distributes emails disguised as official correspondence from the office of the country’s prime minister, aiming to compromise government systems.

    A new malicious campaign, dubbed 'CrashFix,' has been identified, employing a NexShield malicious browser extension and social engineering techniques to crash browsers. The scheme ultimately delivers a Python-based Remote Access Trojan (RAT) to victims' systems.

    The GitHub Security Lab has implemented an AI-supported vulnerability triage system using its Taskflow Agent framework. This system utilizes large language models (LLMs) to automate the triaging of code scanning alerts, successfully identifying approximately 30 real-world vulnerabilities in GitHub Actions and JavaScript projects since August.

    A new international service, the Global Cybersecurity Vulnerability Enumeration (GCVE), has been launched. This initiative offers an alternative to the existing US-led Common Vulnerabilities and Exposures (CVE) system, with the goal of streamlining and enhancing global vulnerability management processes.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-1245 Critical

    Malware Families

    Global GLOBAL GROUP