Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

According to a 2024 report from IoT Analytics, there were 16.6 billion Internet of Things (IoT) connected devices at the end of 2023, and that number is expected to grow to 41.1 billion by 2030. This means an increased attack surface for malicious actors to take advantage of, especially given that the security posture of the vendors that provide these devices varies greatly.

SCA tools often generate multiple CVEs for the same dependency, creating unnecessary tickets and slowing remediation. Aggregating those findings into a single fix helps AppSec teams reduce ticket sprawl and align security work with how developers actually resolve vulnerabilities.

The concentration of dangerous software flaws is accelerating. The number of high-risk vulnerabilities – those with both high severity and high exploitability – has surged by 36% year-over-year, according to the 2026 State of Software Security Report. This trend indicates a critical problem: more risk is entering your codebase faster than ever before.

OAuth and OpenID Connect are the backbone of modern cloud-native identity and access management. From SaaS platforms and internal APIs to Kubernetes microservices, these protocols are responsible for verifying who is allowed to access what. When a vulnerability appears in a widely used authentication library, the impact can cascade across entire application ecosystems.

A vulnerability assessment is a systematic process for identifying, classifying, and prioritizing security weaknesses across an organization's IT infrastructure, software, and hardware before attackers can exploit them.

Proactive instead of reactive. Are you tired of hearing that already? This phrase seems to appear in almost every elevator pitch. But when it comes to cybersecurity, anticipating threats is essential. Attackers are more professional, automated, and faster than ever. The damage they cause keeps growing, and the window you have after the first alarm to protect your organization is shrinking.

Why do 3,000 CVEs not mean 3,000 real problems? Most vulnerability scanners flag every CVE in your container images without checking whether the vulnerable code is actually loaded and executed at runtime. Only 2–5% of alerts typically require action, which means your team is likely spending days triaging theoretical risks while genuinely exploitable vulnerabilities stay buried.

A critical vulnerability has been discovered in Angular Server-Side Rendering (SSR) that could allow attackers to manipulate request handling and trigger unauthorized server-side requests. Tracked as CVE-2026-27739, the vulnerability arises from how Angular SSR reconstructs request origins using HTTP headers such as Host and X-Forwarded-*. In affected versions, these headers were not strictly validated before being used to build request URLs.

Security is traditionally a game of defense. You build walls, set up gates, and write rules to block traffic that looks suspicious. For years, Cloudflare has been a leader in this space: our Application Security platform is designed to catch attacks in flight, dropping malicious requests at the edge before they ever reach your origin. But for API security, defensive posturing isn’t enough. That’s why today, we are launching the beta of Cloudflare’s Web and API Vulnerability Scanner.

In December 2025, Cloudflare received reports of HTTP/1.x request smuggling vulnerabilities in the Pingora open source framework when Pingora is used to build an ingress proxy. Today we are discussing how these vulnerabilities work and how we patched them in Pingora 0.8.0. The vulnerabilities are CVE-2026-2833, CVE-2026-2835, and CVE-2026-2836. These issues were responsibly reported to us by Rajat Raghav (xclow3n) through our Bug Bounty Program.