Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A Russia-linked threat actor widely tracked as APT28 leveraged a zero-day vulnerability in Microsoft’s MSHTML engine, tracked as CVE-2026-21513, in targeted operations before a security patch was made available. The vulnerability enabled remote code execution through crafted content rendered by the Windows MSHTML component, which remains embedded across supported Windows systems. The exploitation occurred in targeted spear-phishing campaigns aimed at diplomatic and defense-aligned organizations.

Aikido Attack, our AI pentest product, found a WebSocket hijacking vulnerability in Storybook's dev server that can lead to persistent XSS, remote code execution, and, in the worst case, supply chain compromise. Storybook's WebSocket server has no authentication or access control, so if the dev server is publicly accessible, an attacker can exploit this without any user interaction at all. In the more common local setup, a developer just has to visit the wrong website while Storybook is running.

Have you ever left your home without checking if all the windows were closed? And have you ever sat in the office wondering whether you turned off the stove? When it comes to our own homes, most of us care a lot about safety. But what about corporate IT? Have you turned off the virtual stove and secured all doors and windows against unauthorized access? Do you even know how many doors and windows exist in your IT environment?

On February 24, 2026, sooperset, the mcp-atlassian project maintainer, released fixes for a critical vulnerability in mcp-atlassian, tracked as CVE-2026-27825. The flaw arises from missing directory confinement and inadequate path traversal validation in the Confluence attachment download tools which could allow a remote (network-adjacent), unauthenticated threat actor to write files to arbitrary paths, enabling local privilege escalation and remote code execution.