Security Vulnerabilities in Phishing URLs, N8N Command Injection, and Android Update Policy Changes

The February 6, 2026 edition of the Sans Internet Storm Stormcast presents three security vulnerabilities. First, a phishing technique exploits technically invalid URLs that work in browsers but evade security tools. These URLs use ampersands followed by random characters instead of the standard format with question marks. According to RFC 3986, URLs must be delimited by spaces, angle brackets, or double quotes, but browsers tolerate these variations. Second, N8N presents an OS command injection vulnerability allowing system command execution by anyone who can create a workflow. This is a variation of a December flaw that had not been properly fixed. Third, the February Android update contains no security patches for the base system. Google is modifying its policy by publishing only critical vulnerability patches monthly and others quarterly. WatchGuard has also released a patch for an LDAP injection in Firebox requiring a partial identifier and valid passphrase to bypass authentication.