Critical Sandbox Escape Flaw Found In Popular vm2 NodeJS Library
A critical-severity vulnerability in the vm2 Node.js sandbox library, tracked as CVE-2026-22709, allows escaping the sandbox and executing arbitrary code on the underlying host system. The open-source vm2 library creates a secure context to allow users to execute untrusted JavaScript code that does not have access to the filesystem. vm2 has historically been seen in SaaS platforms that support user script execution, online code runners, chatbots, and open-source projects, being used in more than 200,000 projects on GitHub. The project was discontinued in 2023, though, due to repeated sandbox-escape vulnerabilities, and considered unsafe for running untrusted code.
Source: BleepingComputer

Fortinet Blocks Exploited FortiCloud SSO Zero Day Until Patch Is Ready
Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions. The flaw allows attackers to abuse FortiCloud SSO to gain administrative access to FortiOS, FortiManager, and FortiAnalyzer devices registered to other customers, even when those devices were fully patched against a previously disclosed vulnerability.
Source: BleepingComputer

CISA Adds Five Known Exploited Vulnerabilities To Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The newly added flaws include vulnerabilities affecting the Linux kernel, Microsoft Office, GNU InetUtils, and SmarterTools SmarterMail, underscoring continued exploitation of long-known and recently disclosed weaknesses across widely deployed software.
Source: CISA

Investigation Into International “ATM Jackpotting” Scheme Results In Additional Indictments
A federal grand jury in the District of Nebraska returned an additional indictment charging 31 individuals for their roles in a large conspiracy to deploy malware and steal millions of dollars from ATMs in the United States, a crime commonly referred to as ATM jackpotting. Fifty-six others had already been charged. The case involves Venezuelan and Colombian nationals, including members of the Tren de Aragua group, and includes charges related to bank fraud, bank burglary, computer fraud, and damage to protected computers.
Source: U.S. Department of Justice

SoundCloud Data Breach Exposes Email Addresses Of Millions Of Users
In December 2025, SoundCloud disclosed unauthorized activity that allowed attackers to map publicly available profile information to email addresses for approximately 20% of its users. The exposed data included tens of millions of email addresses, usernames, and related profile metadata. Attackers later attempted extortion before publicly releasing the dataset the following month.
Source: BleepingComputer