Ai-Security
- Security: Vulnerabilities, Supply Chain, and the Defence Landscape
A living signal tracking infosec: CVEs worth knowing, supply chain attacks, cloud security incidents, AI/agentic security risks, and practical mitigations for engineering teams. This week: Citrix NetScaler CVE-2026-3055 (CVSS 9.3) allows unauthenticated session token extraction from SAML appliances; BeyondTrust CVE-2026-1731 now confirmed in active ransomware campaigns; AnythingLLM ships a textbook SQL injection; LAPSUS$ claims a 3GB AstraZeneca breach.
- Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
A DOM-based XSS flaw in the Arkose Labs CAPTCHA component on claude.ai's subdomain enabled zero-click prompt injection from any website via a legitimate Google ad. No user interaction required.