Agregátor RSS

A high-severity security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. "The 'POST /api/v2/Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts. [...]

CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog after Google confirmed active exploitation of the flaw. The bug sits in V8, the JavaScript engine behind Chrome and Chromium.

Revoluční model Mythos už je v upravené formě dostupný i pro veřejnost. • Vyniká v programování, vědomostech nebo vědeckém výzkumu. • GPT-5.5 a Gemini 3.1 Pro se mu nemohou rovnat.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

ČEZ přestaví elektrárnu Orlík na čtvrtou přečerpávací elektrárnu v Česku • Čerpáním z Kamýku uloží dvě turbíny 750 MWh pro 80 tisíc domácností • Modernizace za osm miliard začne v roce 2027 a skončí o šest let později

Attackers are increasingly bypassing weak authentication through phishing, MFA fatigue, and service desk social engineering. Specops Software breaks down five best practices for stronger identity verification and access security. [...]

Asterinas (GitHub) je v Rustu napsané jádro operačního systému poskytující s jádrem Linux kompatibilní ABI. Vydána byla verze 0.18.0. První distribucí postavenou nad jádrem Asterinas je Asterinas NixOS. Nejedná se o oficiální projekt NixOS a nemá nic společného s NixOS Foundation.

Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]

GitHub will change npm's defaults so the install command no longer runs scripts automatically, disabling a feature commonly exploited by malicious packages such as the notorious Shai-Hulud worm. Maintainer Leo Balter said: "Install-time lifecycle scripts are the single largest code-execution surface in the npm ecosystem. Every npm install runs scripts from every transitive dependency, so a single compromised package anywhere in your tree can execute arbitrary code on a developer machine or CI (continuous integration) runner." In npm 12, due July, three security-focused defaults are changing. Scripts configured for preinstall, install, or postinstall will no longer run unless explicitly permitted via allow-scripts. The --allow-git flag, which pulls dependencies from remote URLs, will default to off, closing an attack path where a malicious .npmrc file could override the Git executable and achieve arbitrary code execution. Finally, allow-remote will default to none, blocking dependency downloads from remote URLs entirely. It will still be possible to allow scripts to run via an allowlist in the package.json configuration file. This will be pinned to the installed version of a package by default. These are breaking changes, and Balter recommended developers run the commands to allow scripts for every currently installed package in a project that requires them. "This gets you protected against new, unexpected scripts immediately," he said. The next step is to review these packages and deny scripts for those where they are not needed. Some packages require script approval to function, including native modules that compile on install, testing tools like Playwright and Puppeteer (which fetch binaries via postinstall), and Electron, which wraps the Chromium browser engine for cross-platform desktop applications. These features have been available since npm version 11.10.0, released in February, but as opt-in flags rather than defaults. That version also introduced min-release-age, which blocks installation of package version newer than a specified number of days, designed as a safeguard against newly published malicious packages. Best security practice for developers using npm 11.16, the current version, is to set these flags on in .npmrc or via environment variables, which will also prepare a project for the changes in version 12. One annoyance is that the existing flag ignore-scripts does not support an allowlist, other than via an additional tool. The ignore-scripts setting will override allow-scripts, so developers will need to remove it, if set to true, to enable approved scripts to run. The allowScripts setting exists in npm 11 but is advisory only. Will this fix npm security issues? Unfortunately not. "Now all the malware can move from the install script to the module itself where it will inevitably still be run," said one developer. Another common view is that developers should use pnpm, which already has safer defaults than npm, including a minimum release age. There is consensus, though, that these changes do improve npm security and are long overdue. The pull request for this change includes the remark that "npm is the only remaining major package manager that runs dependency install scripts by default. pnpm v10+, Yarn Berry, Bun, and Deno all block them." ®

Gemini 3.5 Live Translate je zvukový model pro překládání v reálném čase. • Podporuje více než 2000 jazykových kombinací. • Zachovává intonaci, tempo a výšku hlasu mluvčího.

V našem výběru najdete deskovky napříč cenovými kategoriemi, žánry i náročností. Vybírat můžete od epických kampaňovek až po jednoduché karetní hry.

Wizz Air oznámil, že v roce 2027 začne do letadel zavádět internetové připojení přes satelitní službu Starlink. Cestující by tak měli mít během letu k dispozici vysokorychlostní internet s nízkou odezvou. Maďarský dopravce tvrdí, že půjde o první evropskou nízkonákladovou leteckou společnost se ...

Microsoft warned customers on Tuesday that they may have issues installing the latest monthly updates on some Windows devices that were upgraded to Windows 11 24H2 or 25H2. [...]

Podrobně byla rozebrána kritická zranitelnost v nf_tables (CVE-2026-23111). Další lokální eskalace práv na Linuxu. V upstreamu byla zranitelnost již v únoru opravena. Ve zdrojovém kódu stačilo odstranit 1 vykřičník.

I’ve been using and writing about Microsoft Copilot since it was publicly released in 2023. I’ve reviewed it, written articles about using it more effectively, explained how to curb hallucinations in it and other similar tools, and detailed how to use it in concert with Microsoft 365. It’s also been my go-to generative AI (genAI) tool for personal projects and advice.

But the time has come for me to leave it behind for my personal use. It’s become abundantly clear that for those tasks, Google Gemini is better. Here’s why.

Copilot is inept at solving a tech problem

Like many people who know something about technology, I’m the IT staff for friends and family. I’ve often used Copilot to help solve issues I can’t fix myself. Sometimes Copilot helps. And other times…, well, the last time I turned to it for troubleshooting advice is when I realized it was time to abandon Copilot.

My wife had bought a new iPhone, and I noticed she was receiving texts sent to her email address but hadn’t received any sent to her phone number. I asked Copilot for help.

I won’t go into the details of the wild goose chase Copilot sent me on — I’ll just offer a few lowlights. It first told me, with absolute authority, that there are “only two real explanations” for the problem and asked me to look at several settings to confirm which explanation would fix the issue.

It turned out that neither of the “two real explanations” were the cause. Undeterred, Copilot assured me, again with complete confidence, that it was going to send me “straight to the switch” that would immediately solve the problem.

I tried it. The switch didn’t work. Neither did the “final fix” it promised me. Nor did any of the other many “solutions” if offered after that so-called final fix. For more than an hour, it flailed with utter confidence and utter futility trying to diagnose and fix the problem. 

And then came the final indignity: After doing some digging, I realized Copilot was trying to solve the problem based on an old version of iOS, not the current one on my wife’s phone. When I confronted Copilot about that, it briefly apologized and promised it knew the solution: I had to call the cellphone carrier.

That was it for me. I’d had enough. I turned to Gemini for help. 

Thirty seconds later, Gemini diagnosed the problem and recommended a simple fix, which didn’t require a call to my phone carrier. It worked like a charm. Gemini had solved a tech problem in 30 seconds that Copilot couldn’t resolve after an hour. 

Copilot whiffs on personal research 

I often used Copilot for personal research projects. A recent one involved Parisian neighborhoods in the 1870s. I was looking for information about the area around the Saint-Lazare train station. When I asked Copilot, it told me the area was dangerous and poverty-ridden back then, with poor housing whose exteriors were heavily stained by coal smoke from arriving and departing trains.

That didn’t sit right with me. I recalled a well-known painting Paris Street; Rainy Day by the Impressionist painter Gustave Caillebotte, which depicted the neighborhood in the 1870s as wealthy and fashionable, filled with elegant Hausmann-style apartment buildings. I asked both Gemini and Claude about the neighborhood in the 1870s. They both told me it was expensive, fashionable and sought after by the well-off. I confirmed that with my own follow-up research.

Once again, Copilot had whiffed.

Copilot gives bad scheduling advice

I swim for exercise three or four times a week at my health club’s indoor pool. The club closed the pool for several months, so I decided to swim at the pool of an elementary school a short walk from my house. I hadn’t exercised there before and wanted to find the times on Monday through Friday when the pool would be least crowded. I asked Copilot for help.

As always, Copilot spoke with a solid air of authority. And once again, it was wrong. It told me that the least crowded time for public swimming on weekdays was between 11:30 a.m. and 12:30 p.m. or between 12:00 p.m. and 1:00 p.m.

On one count it was right: the pool would certainly not be crowded with public swimmers at those times. Because the pool doesn’t open to the public until 3 p.m. 

I turned to Gemini, which told me that 3 p.m., when the pool opened, would be the least-crowded time. Claude was no help. It demurred and said it didn’t know the answer – a rare, refreshing admittance of ignorance from a chatbot.

Gemini was on target again — 3 p.m. did indeed turn out to be the least-crowded time to swim. I often get a lane to myself, and at worst have to split a lane with one other swimmer. I asked several lifeguards if 3 p.m. was the least-crowded time on weekdays; they all confirmed it was.

Bye-bye, Copilot

For all those reasons, when it comes to personal research and advice, I’ve abandoned Copilot. I typically use Gemini now, although on occasion, I ask for a second opinion from Claude.

For my Computerworld work, I’ll keep using Copilot, and continue to write reviews of it, offer advice on how to use it and keep you informed about the latest news about it.

But other than that, for my personal use, Copilot is dead to me.

It's patch time for Ivanti customers again after the security shop disclosed another two critical vulnerabilities in one of its products. Both bugs affect Ivanti Sentry, a mobile gateway that forms part of its broader unified endpoint management platform. The first and worst of the two is CVE-2026-10520 (10.0), a max-severity vulnerability that allows a remote, unauthenticated attacker to execute code with root privileges. Flaws that allow root-level code execution without authentication are about as bad as vulnerabilities get, which explains the perfect-10 rating. The only saving grace is that, by the vendor's reckoning, no one has successfully exploited it in the wild… yet. Public disclosures tend to start a figurative countdown timer when it comes to attackers exploiting bugs, and although Ivanti gave little away about CVE-2026-10520 in its advisory, other researchers have already published breakdowns of the patch, offering clues as to how unpatched systems could still be attacked. According to watchTowr, the vulnerability stemmed from an exposed API running under Apache Tomcat. An attacker could feed the API a specially crafted message, which is parsed as a MICS configuration command and executed by the backend handler with root privileges. It looks like Ivanti fixed this by preventing this attacker-supplied string from being accepted, replacing it with a single, hard-coded command. It also updated the Apache configuration rules to block unauthenticated access to the affected endpoint. The second critical Ivanti Sentry vulnerability is tracked as CVE-2026-10523, and is scarcely less serious, carrying a near-maximum 9.9 CVSS. The authentication bypass bug allows remote, unauthenticated attackers to create admin accounts, granting themselves top privileges on an affected system. Customers are advised to address both security flaws immediately. They can upgrade to versions 10.5.2, 10.6.2, or 10.7.1. Ivanti's disclosure this week comes after it fixed two separate critical vulnerabilities affecting its Endpoint Manager Mobile (EPMM) in January. The bugs were both handed 9.8 CVSS scores and were exploited as zero-days. Even the Dutch data protection authority reported itself to parliament after attackers breached it as part of the pre-patch exploits. ®

MiniLED TV Hisense s úhlopříčkou 55" zlevnila na 9992 Kč. • Má vysoký jas, 144 Hz, slušné HDR a dobrý zvuk. • Jako dárek získáte pětiletou záruku a roční předplatné AntikTV.

Your pentest report looks clean. That might be the problem. Run automated pentesting long enough, and the new findings start to dry up. By the third or fourth run, fewer issues appear. The report looks stable. Leadership reads "stable" as "secure." It usually isn't. The work slows down. The risk does not. That gap is what a The Hacker News webinar with Picus Security sets out to close. [email protected]

Evropská komise (EK) nařídila americké společnosti Meta, že musí znovu umožnit bezplatný přístup konkurenčním obecně zaměřeným asistentům umělé inteligence (AI) k WhatsAppu a tento přístup musí zachovat až do ukončení antimonopolního šetření. Opatření je dočasné a má zabránit vážnému a nevratnému poškození konkurence na rychle rostoucím trhu s obecnými AI asistenty. Meta uvedla, že se proti rozhodnutí odvolá.