MITRE has published the list of Top 25 most common software vulnerabilities of 2025, also known as the CWE Top 25

CWE - 2025 CWE Top 25 Most Dangerous Software Weaknesses

Common Weakness Enumeration (CWE) is a list of software and hardware weaknesses.

Looks like Notepad++ has fixed its update system:

Community

Notepad++ v8.8.9: Vulnerability-fix

Notepad++ release 8.8.9 is available: https://notepad-plus-plus.org/news/v889-released/ Notepad++ v8.8.9 new security enhancement, new features, re...

This is after reports that users received malicious Notepad++ updates containing malware: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

Some phishers have taken inspiration from Russian cyber-espionage group UTA0355 and are using a technique that tricks users into sharing their OAuth material in a web page (UAT0355 did it via email replies)

Push Security

ConsentFix: Browser-native ClickFix hijacks OAuth grants

Analysing "ConsentFix", a new browser-native attack technique we

Google is rolling out a new feature for Android users that will let them share live video with emergency services. The new feature is being rolled out in the US and some regions in Mexico and Germany. It will be available for Android 8 (2017) devices or higher

Google

Share live video with emergency services to get the help you need

During an emergency call or text, a dispatcher can send a request to your Android phone to share live video.

More research of this type Intruder found 43k secrets across 5 million single-page apps: https://www.businesswire.com/news/home/20251211585215/en/Intruder-Uncovers-New-Secrets-Detection-Techniques-Finds-Thousands-of-Exposed-Tokens-Unaddressed-by-Traditional-Methods Bitsight has found more than 1,000 MCP servers exposed on the internet with no authorization in place and exposing sensitive data:

Bitsight

Exposed MCP Servers: New AI Vulnerabilities & What to Do | Bitsight

Bitsight TRACE research team found roughly 1,000 exposed MCP servers with no authorization in place, revealing new AI vulnerabilities. Read the rep...

View quoted note →

CA/B Forum to sunset 11 domain validation methods used to issue TLS certificates

Google Online Security Blog

HTTPS certificate industry phasing out less secure domain validation methods

Posted by Chrome Root Program Team Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the...

UK ICO fines LastPass £1.2m for 2022 data breach

Password manager provider fined £1.2m by ICO for data breach affecting up to 1.6 million people in the UK

The Information Commissioner’s Office (ICO) has fined password manager provider LastPass UK Ltd £1.2 million following a 2022 data brea...