The remote code execution flaw CVE-2026-3854 was found to impact GitHub.com and GitHub Enterprise Server.

The post Critical GitHub Vulnerability Exposed Millions of Repositories appeared first on SecurityWeek.

As organizations consider agentic AI for their business and IT stacks, researchers continue to find bugs and vulnerabilities in major, commercial models  that can significantly expand their attack surface.

This week, researchers at Pillar Security disclosed a vulnerability in Antigravity, an AI-powered developer tool for filesystem operations made by Google.

The bug, since patched, combined prompt injection with Antigravity’s permitted file-creation capability to grant attackers remote code execution privileges.

The research details how the exploit was able to circumvent Antigravity’s secure mode, Google’s highest security setting for its agents that runs all command operations through a virtual sandbox environment, throttles network access and prohibits the agent from writing code outside of the working directory.

Secure mode is supposed to limit the AI agent access to sensitive systems – and its ability to execute malicious or dangerous acts through shell commands. But one of the file-searching tools used by Antigravity, called “find_by_name,” is classified as a ‘native’ system tool. This means the agent can execute it directly and before protections like Secure Mode can even evaluate command level operations.

“The security boundary that Secure Mode enforces simply never sees this call,” wrote Dan Lisichkin, an AI security researcher with Pillar Security. “This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it.”

The prompt injection attacks can be delivered through compromised identity accounts connected to the agent, or indirectly by hiding clandestine prompt instructions inside open-source files or web content the agent ingests. Antigravity  has trouble distinguishing between written data it ingests for context and literal prompt instructions, so compromise can be achieved without any elevated access by getting it to read a malicious document or file.

According to a disclosure timeline provided by Pillar Security, the bug was reported to Google on Jan. 6 and patched on Feb. 28, with Google awarding a bug bounty for the discovery.

Lisichkin said this same pattern of prompt injection through unvalidated input has been found in other coding AI agents like Cursor. In the age of AI, any unvalidated input can become a malicious prompt capable of hijacking internal systems.

“The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content,” he wrote.

The fact that the vulnerability was able to completely bypass Google’s secure mode underscores how the cybersecurity industry must start adapting and “move beyond sanitization-based controls.” 

“Every native tool parameter that reaches a shell command is a potential injection point. Auditing for this class of vulnerability is no longer optional, and it is a prerequisite for shipping agentic features safely,” Lisichkin wrote.

The post Vuln in Google’s Antigravity AI agent manager could escape sandbox, give attackers remote code execution appeared first on CyberScoop.

Veeam has released an update to fix a security flaw in its Backup & Replication software that could let certain users run code on affected systems.

The main issue, tracked as CVE-2025-59470, affects all Veeam Backup & Replication version 13 builds, according to a security advisory released Tuesday. Veeam said older product lines, including 12.x and earlier, are not affected by the vulnerabilities listed.

Veeam said the flaw could allow someone with the “Backup Operator” or “Tape Operator” role to carry out remote code execution by sending a malicious “interval” or “order” setting. The company said that would let the attacker run commands as the “postgres” user, the account used by the product’s database.

The vulnerability has a CVSS score of 9.0, which is typically labeled “critical.” Veeam, however, said it is treating the flaw as high severity because it can only be used by someone who already has one of those operator roles.

“The Backup and Tape Operator roles are considered highly privileged roles and should be protected as such,” Veeam said in the advisory. The company added that following its security guidelines can reduce the chance of the issue being exploited.

Veeam’s documentation describes the permissions tied to those roles. A Backup Operator can start and stop existing backup jobs and export or copy backups, including creating VeeamZip backups. A Tape Operator can run tape backup and tape catalog jobs, eject tapes, import and export tapes, move tapes between media pools, copy or erase tapes and set a tape password.

Veeam said the flaw was found during internal testing. The advisory does not say if the company has seen it being used in attacks.

Veeam said the update also patches other vulnerabilities, but CVE-2025-59470 is the only one with a “critical” score.

Veeam Backup & Replication is used by organizations to make copies of important data and applications so they can be restored after cyberattacks, hardware failures or other disruptions.

The full advisory can be found on Veeam’s website. 

The post Veeam issues patch to close critical remote code execution flaw appeared first on CyberScoop.

Carrie Roberts // Unauthenticated Remote Code Execution? A hacker’s best friend. And that is what we have with CVE-2017-5638 Apache Struts with working exploit code here: https://github.com/rapid7/metasploit-framework/issues/8064 Save the exploit […]

The post Strutting your stuff – Unauthenticated Remote Code Execution appeared first on Black Hills Information Security, Inc..

Mick Douglas // Current Status: – MS15-034 has remote Denial of Service (DoS) – Remote exploit code appears to be ready soon… maybe.  Stay tuned. BLUE TEAM MARCHING ORDERS: – […]

The post Waiting Is the Hardest Part: A Purple Team’s Take on MS15-034 appeared first on Black Hills Information Security, Inc..