Charging is done via the same type of power adapter that the Sora 70 uses: a proprietary, blocklike connector that slides into a hatch on the rear of the device. A hinged port cover opens automatically when you slide the adapter into it and snaps shut when it’s removed. It’s not as convenient as a plugless charging dock, but it’s close, obviating the need for screw-on port covers or other waterproofing systems that have to be manually manipulated.

ScreenshotBeatbot app via Chris Null

In the water, the unit offers a scant three operational modes—floor mode, standard mode (which handles floor, wall, and waterline), and eco mode (which runs a floor-only cleaning for 45 minutes every 48 hours). Both floor and standard mode offer three running-time options: two hours, three hours, or max (i.e., run until the battery’s almost dead). These can all be selected through the Beatbot app, which is available via Bluetooth or either 2.4 GHz or 5 GHz Wi-Fi. You’ll also need to set up Wi-Fi for firmware updates.

A Capable Cleaner

I spent the better part of a week testing the Sora 30 with both organic and synthetic debris and found the robot to be quite capable. Contrary to expectations, I encountered no issues with even heavier debris days, and the Sora 30 was able to suck up leaves and dirt with an average 95 percent coverage rate. It worked reasonably well on steps and platforms and is rated to run in water as shallow as 8 inches. Note that there’s no artificial intelligence or a camera that can detect debris on the fly here. This robot just goes back and forth the best it can, which turns out to be pretty good.

The only performance struggles I witnessed were in a single sharp corner area near the pool’s steps, where debris seemed to be pushed aside, unable to be effectively collected. In fact, all of the uncollected material in my test runs would inevitably end up in this one location. (The good news is that this was in the shallow end, making it easy to scoop up with a net.) It’s tough to say whether truly massive amounts of debris or larger items like twigs and branches would impact its operation to the degree the box suggests, but nothing I saw suggested this poolbot was significantly less powerful than most other devices on the market, especially in its price band.

Photograph: Chris Null

In 2021, I was a demoralized educator: not burnt out, but demoralized. As I shared in my first article for EdSurge, demoralization occurs when teachers “encounter consistent and pervasive challenges to enacting the values that motivate their work.”

That year, the pervasive challenges seemed obvious and communal. We were all navigating online platforms, figuring out how to replicate student services virtually and struggling to make up for lost time in instruction, social-skill development and relationship-building for when students returned to in-person schooling.

When I think about what feels most pressing now, it seems those challenges persist but are perhaps less obvious to society at large. As the authors of “Going the Distance: The Teaching Profession in a Post-COVID World (2024)” wrote:

Right now, I believe teaching is the most important thing we can do. When the world is on fire, what feels most pressing is teaching students to claim their humanity and helping educators understand how much the communal learning experience matters. Five years later, I have come full circle.

This time, I return to that same claim with a broader and deeper understanding of what makes a school. We use that old adage, “It takes a village…” More and more, I see that we, as school communities, are the village and the villagers that we need right now. What really makes a school more human is not just the principals and teachers, but the child welfare staff, paraeducators, campus supervisors, guidance counselors, cafeteria workers, coaches, librarians, custodians and secretaries. The list is long, but it feels necessary to name the people on campus who make students feel like they belong, support them and have their backs when students need it. These are the colleagues who have shown me what it is like to truly model humanity to our students.

The truth is that the onus is on all of us to create an environment in which mutual respect and empathy are the baseline expectations. So, as an instructional coach, as a leader and as a voice of change in this context, what can I do? How do I communicate to teachers that, while they have been beaten down and blamed for society’s ills, they also have the herculean task of helping students learn how to be human together?

In 2021, I said that I was demoralized. In 2026, I am revitalized and committed to my role as an educator, instructional coach and teacher advocate.

Since participating in the inaugural cohort of the Voices of Change fellowship, I have contributed essays to The California Educator, Edutopia and EdSurge. I have joined podcast panels to talk about social-emotional learning, culturally responsive teaching and civil discourse in the classroom.

This fellowship showed me the power of personal writing for representation and advocacy. I have started to write children’s books about my own neurodivergent children. I have presented at local and state conferences and will continue to use my voice and my words to advocate for students, for educators, for quality professional development and schools that model the best of humanity. Writing for the Voices of Change fellowship has helped me claim my voice, my humanity and my power.

• Anker unveils THUS
• The new chip uses Computer in Memory
• It could enable larger AI models on lower-powered devices

Anker is getting into the silicon business, specifically building a CIM (Compute In Memory) solution that will support onboard large model processing inside tiny, low-powered Bluetooth earbuds.

THUS is Anker’s first step in a long-term plan to bring local, large-model AI to mobile, wearable, and IoT technologies. Anker’s chip technology relies on Neural network-style computing, eschewing the traditional compute architecture in which the CPU processes the commands based on data and instructions it derives from memory. The transit from one to the other is an energy-intensive process. Neural Networks, like the human brain, don’t really respect that division. Letting it all work in one place saves considerable energy. That’s why CIM is attractive to Anker as a solution for bringing more powerful AI to its small-battery, lower-powered devices.

Oppo has just unveiled its flagship smartphone that’s “engineered to be your next camera”.

The Oppo Find X9 Ultra is fitted with “groundbreaking” lenses and “industry-leading hardware”, but how does it compare to the 4.5-star Oppo Find X9 Pro? Considering we concluded that the latter delivers a top-notch camera experience and has a spot on our best camera phones list, how does the X9 Ultra look to compare?

We’ve assessed the specs of the Oppo Find X9 Ultra to the Find X9 Pro, and highlighted the key differences between the two below. 

Otherwise, visit our round-up of the best Android phones and best smartphones to see our current favourites. 

Price and Availability

The Find X9 Ultra is the first of Oppo’s Ultra models to launch globally.

Advertisement

The Find X9 Pro is available to buy now, and has a starting price of £1099. However, we have seen the phone’s price drop over the last few months, so it’s worth keeping an eye out for deals. 

Oppo Find X9 Ultra has five rear lenses

Oppo explains that the Find X9 Ultra is fitted with a new-generation Hasselblad Master Camera System, which promises to deliver a versatile and high-quality framing that spans from 14mm to 460mm. 

Advertisement

Made up of five rear lenses, the Find X9 Pro sports dual Hasselblad 200MP lenses. The first of the two is the Ultra-Sensing main lens which features the new 1/1.12-inch Sony LYTIA 901 sensor while the second is a 3x ultra-sensing telephoto which boasts the largest sensor of its type (1/1.28-inch), and doubles as a macro lens.

The two 200MP lenses are supported by two 50MP cameras: an ultrawide and a 10x Ultra-Sensing Optical-Zoom telephoto. In fact, the latter benefits from an industry-first 20x optical zoom too. 

Finally, the four lenses are flanked by a new-gen True Color Camera which promises natural colour rendition.

Advertisement

In comparison, the Find X9 Pro is equipped with a 50MP main lens which, sure sounds pretty measly when compared to a 200MP alternative, but is able to capture plenty of detail and offers an impressive low-light performance too. 

Advertisement

This is paired with a 200MP telephoto lens that can reach up to a whopping 120x zoom. While this will come at the expense of detail, using Oppo’s Hasselblad Teleconverter attachment aims to fix this issue – and we’ll explain more below. 

Both have supporting teleconverter attachments – but there’s a difference

Both the Find X9 Ultra and X9 Pro can be equipped with their own teleconverter attachments. With the Pro, the Teleconverter twists onto the 200MP telephoto lens and enables impressive zoom without compromising on quality. While it’s certainly not the most subtle of accessories, we were still impressed by its performance.

Oppo has also created a similar 300m Teleconverter lens for the X9 Ultra edition, that mounts to the 200MP, 3x telephoto sensor. According to Oppo, this attachment will allow photographers to retain sharp detail at “30x and beyond”. That’s a bold claim, and one we’re keen to try out for ourselves.

Advertisement

Oppo Find X9 Ultra runs on Snapdragon 8 Elite Gen 5

Photography ability aside, one of the key differences between the Find X9 Ultra and X9 Pro is with their respective chips. While the latter Pro model runs on MediaTek’s Dimensity 9500, the Ultra is powered by Qualcomm’s Snapdragon 8 Elite Gen 5. 

We found during our review of the Find X9 Pro that its Dimensity 9500 chip, combined with Oppo’s Luminous Rendering Engine, enabled the flagship to fly through everyday use while feeling rapid and responsive too. In addition, although it isn’t a dedicated gaming phone, it still had no issue running titles such as Call of Duty Mobile.

Advertisement

However, Snapdragon 8 Elite Gen 5 is a tough competitor to beat. The chip is not only behind many of the best Android phones, but it can handle everything from casual tasks to generative AI tasks and gaming with ease. Having said that, we’d argue that most users will be unlikely to notice much of a difference between the chips in everyday use.

Oppo Find X9 Pro has a larger battery

With a mighty 7500mAh cell, the Find X9 Pro has one of the largest batteries found in any smartphone. This translates to comfortably being a two-day handset, although remember this will depend on your own usage. For example, we found that on days where we really pushed the phone’s limits, the handset couldn’t quite make it through a full second day.

Although it’s not quite as large, the Find X9 Ultra is still fitted with a whopping 7050mAh battery, which promises to ensure “reliable, all-day content creation”.

Advertisement

It’s worth pointing out that, although the Find X9 Pro’s battery is larger than the X9 Ultra’s own, both do boast pretty generous capacities. Considering the likes of the Samsung Galaxy S26 Ultra and Google Pixel 10 Pro XL max out at 5000mAh and 5200mAh respectively, Oppo’s Find series are certainly not to be sniffed at.

Advertisement

Oppo Find X9 Ultra comes in a familiar orange shade

Although both only come in a choice between two shades, they differ with their exact offerings. While the Find X9 Pro comes as Titanium Carbon or Silk White, the Find X9 Ultra is available in either Tundra Umber or Canyon Orange.

Regardless of the colour you choose, both the X9 Ultra and X9 Pro sport IP66, IP68 and IP69 ratings which means the handsets can withstand water submersion and even high pressure and high temperature water jets too.

Early Verdict

Although the Oppo Find X9 Pro is easily one of the best camera phones we’ve reviewed, the Find X9 Pro looks like a promising alternative for those who need even more versatility and shooting modes to play with. With a whopping five rear cameras and Qualcomm’s Snapdragon 8 Elite Gen 5 chip at play, the Oppo Find X9 Ultra is undoubtedly a promising handset for the keen photographer.

Advertisement

Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability.

The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies.

Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month’s Patch Tuesday.

“A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases,” Microsoft says in the .NET 10.0.7 release notes.

“In these cases, the broken validation could allow an attacker to forge payloads that pass DataProtection’s authenticity checks, and to decrypt previously-protected payloads in auth cookies, antiforgery tokens, TempData, OIDC state, etc.

“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”

As Microsoft further explained in a Tuesday security advisory, this vulnerability can also enable attackers to disclose files and modify data, but they cannot impact the system’s availability.

On Tuesday, senior program manager Rahul Bhandari warned all customers whose applications use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible, then redeploy to fix the validation routine and ensure that any forged payloads are rejected automatically.

More information regarding affected platforms, packages, and application configuration can be found in the original announcement.

In October, Microsoft also patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server that was flagged with the “highest ever” severity rating for an ASP.NET Core security flaw.

Successful exploitation of CVE-2025-55315 enables authenticated attackers to either hijack other users’ credentials, bypass front-end security controls, or crash the server.

On Monday, Microsoft released another set of out-of-band updates to address issues affecting Windows Server systems after installing the April 2026 security updates.

AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.

At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.

Advertisement

Claim Your Spot

Invincible season 4 episode 8 has landed on Prime Video — and, hoo boy, if Mark Grayson thought he had it bad already, nothing can prepare him (or you, for that matter) about what’s to come after that decision he’s just made.

If you’re here, I’m guessing you’ve seen the Amazon TV Original’s latest finale and have big questions about what you just watched. Luckily for you, I’m a huge Invincible nerd, so I’m perfectly placed to answer them.

A group of unauthorized users has reportedly gained access to Mythos, the cybersecurity tool recently announced by Anthropic.

Much has been made of Mythos and its purported power — an AI product designed for enterprise security that, in the wrong hands, could become a potent hacking tool, according to the company. Now Bloomberg has reported that a “private online forum,” the members of which have not been publicly identified, has managed to gain access to the tool through a third-party vendor.

“We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” an Anthropic spokesperson told TechCrunch. The company said that, so far, it has found no evidence that the supposedly unauthorized activity has impacted Anthropic’s systems in any way.

The unauthorized group tried a number of different strategies to gain access to the model, including using “access” enjoyed by the person who was interviewed by Bloomberg. That person is currently employed at a third-party contractor that works for Anthropic, the outlet reported.

Members of the group are part of a Discord channel that seeks out information about unreleased AI models, the outlet reported. The group has been using Mythos regularly since gaining access to it, and provided evidence to Bloomberg in the form of screenshots and a live demonstration of the software.

Bloomberg reports that the group, which supposedly gained access to the tool on the same day it was publicly announced, “made an educated guess about the model’s online location based on knowledge about the format Anthropic has used for other models.” The group in question is “interested in playing around with new models, not wreaking havoc with them,” the source told the outlet.

Mythos was released to a select number of vendors, including big names like Apple, as part of an initiative called Project Glasswing. The limited release of the model was designed to prevent its use by bad actors. The tool could be weaponized against corporate security instead of bolstering it, Anthropic said.

If true, unauthorized use of Mythos could spell trouble for Anthropic, which provided the exclusive release to allay the company’s concern for enterprise security.

Summary: Lovable, the $6.6 billion vibe coding platform with eight million users, has faced three documented security incidents exposing source code, database credentials, and thousands of user records, with the most recent BOLA vulnerability left open for 48 days after the company closed a bug bounty report without escalation. The incidents are representative of a structural problem across vibe coding: 40-62% of AI-generated code contains vulnerabilities, 91.5% of vibe-coded apps had at least one AI hallucination-related flaw in Q1 2026, and the market’s incentive structure rewards growth over security at a moment when 60% of all new code is projected to be AI-generated by year end.

Lovable, the vibe coding platform valued at $6.6 billion with eight million users, has spent the past two months dealing with security incidents that collectively exposed source code, database credentials, AI chat histories, and the personal data of thousands of users across projects built on its platform. The most recent disclosure, published on 20 April by a security researcher, revealed a broken object-level authorisation vulnerability in Lovable’s API that allowed anyone with a free account to access another user’s profile, public projects, source code, and database credentials in as few as five API calls. The researcher reported the flaw to Lovable’s bug bounty programme on 3 March. Lovable patched it for new projects but never fixed it for existing ones, marked a follow-up report as a duplicate, and closed it. As of reporting, the vulnerability had been open for 48 days.

Lovable’s response followed a pattern that security researchers found more telling than the vulnerability itself. The company first posted on X that it “did not suffer a data breach,” calling the exposed data “intentional behaviour.” It then blamed its own documentation, saying that what “public” implies “was unclear.” It then blamed its bug bounty partner HackerOne, saying reports were “closed without escalation because our HackerOne partners thought that seeing public projects’ chats was the intended behaviour.” Later that day, it issued a partial apology acknowledging that “pointing to documentation issues alone was not enough.” Cybernews headlined its coverage: “Lovable goes on ego trip denying vulnerability, then blames others for said vulnerability.”

What was exposed

The April incident affected projects created before November 2025. The researcher demonstrated that extracting a user’s source code from Lovable’s API also yielded hardcoded Supabase database credentials embedded in that code. One affected project belonged to Connected Women in AI, a Danish nonprofit. Its exposed data contained real user records including names, job titles, LinkedIn profiles, and Stripe customer IDs, with records linked to individuals at Accenture Denmark and Copenhagen Business School. Employees at Nvidia, Microsoft, Uber, and Spotify reportedly have Lovable accounts tied to affected projects.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

This was the third documented security incident involving the platform. In February, a tech entrepreneur named Taimur Khan found 16 vulnerabilities, six of them critical, in a single app hosted on Lovable and featured on its own Discover page with more than 100,000 views. The most severe was an inverted authentication logic that granted anonymous users full access while blocking authenticated users. The app, an AI-powered EdTech tool, exposed 18,697 user records including 4,538 student accounts from institutions including UC Berkeley and UC Davis, with minors likely on the platform. Khan reported his findings through Lovable’s support channel. His ticket was closed without a response.

An earlier study in May 2025 found that 170 out of 1,645 sampled Lovable-created applications had issues allowing personal information to be accessed by anyone. Approximately 70% of Lovable apps had row-level security disabled entirely.

The structural problem

Lovable is not uniquely insecure. It is representatively insecure. The platform generates full-stack applications using React, Tailwind, and Supabase in response to natural language prompts, a process the industry calls vibe coding after Andrej Karpathy coined the term in February 2025. The approach lets anyone describe an application and have it built by an AI model without writing or reviewing code. Collins English Dictionary named it Word of the Year for 2025. Gartner forecasts that 60% of all new code will be AI-generated by the end of this year.

The security data across the entire category is consistent. Between 40 and 62% of AI-generated code contains security vulnerabilities, depending on the study. AI-written code produces flaws at 2.74 times the rate of human-written code, according to an analysis of 470 GitHub pull requests. A first-quarter 2026 assessment of more than 200 vibe-coded applications found that 91.5% contained at least one vulnerability traceable to AI hallucination. More than 60% exposed API keys or database credentials in public repositories. The vulnerability classes are the same across every major vibe coding platform: disabled row-level security, hardcoded secrets, missing webhook verification, injection flaws, and broken access controls.

Bolt.new ships with row-level security off by default. Cursor has had multiple CVEs patched, including a case-sensitivity bypass enabling persistent remote code execution. Researchers at Pillar Security demonstrated a “rules file backdoor” attack in which hackers inject hidden malicious instructions into configuration files used by Cursor and GitHub Copilot. A separate “Agent Commander” attack in March showed that prompt injection into AI coding agents could convert autonomous coding tools into remotely controlled malware delivery platforms. In January, the vibe-coded social network Moltbook was breached within three days of launch, exposing 1.5 million API authentication tokens and 35,000 email addresses through a misconfigured Supabase database with no row-level security.

The economic incentive problem

Security firms are raising money specifically to address the gap. Escape raised $18 million to replace manual penetration testing with AI agents that scan vibe-coded applications, citing over 2,000 high-impact vulnerabilities and hundreds of exposed secrets found in live production systems. Lovable itself partnered with Aikido to bring automated pentesting to its platform. But the fundamental incentive structure of the market works against security.

Lovable hit $4 million in annual recurring revenue in its first four weeks and $10 million in two months with a team of 15 people. It raised $200 million at a $1.8 billion valuation in July 2025 and $330 million at $6.6 billion in December, more than tripling its valuation in five months. Enterprise adoption of vibe coding grew 340% year over year. Non-technical user adoption surged 520%. Eighty-seven percent of Fortune 500 companies have adopted at least one vibe coding platform. The market rewards speed and accessibility. Security is a cost centre that slows both.

The result is a category in which the dominant platforms generate code that is insecure by default, the users generating that code lack the expertise to identify the vulnerabilities, and the platforms themselves have financial incentives to prioritise growth over remediation. Lovable’s handling of the March and April incidents illustrates the dynamic precisely: a bug bounty report was closed without escalation, a vulnerability affecting thousands of projects was patched for new users but not existing ones, and the public response cycled through denial, deflection, and a partial apology within a single day.

The regulatory gap

The EU AI Act’s high-risk obligations take effect on 2 August, requiring transparency, human oversight, and data governance for AI systems. California’s S.B. 53 and New York’s RAISE Act require frontier AI developers to publish safety frameworks and report incidents. But none of these regulations specifically address the security of code generated by AI models for end users, and the adoption data suggests the market is moving faster than regulators can respond. Financial services and healthcare, the two most regulated sectors, show the lowest vibe coding adoption rates at 34 and 28% respectively, which indicates that the market itself recognises the compliance gap even if regulations have not yet caught up.

As Trend Micro framed it: “The real risk of vibe coding isn’t AI writing insecure code. It’s humans shipping code they never had a chance to secure.” The 84% surge in App Store submissions driven by vibe coding tools suggests the volume of unreviewed code entering production is accelerating. Thirty-five CVEs were disclosed in March alone from AI-generated code, up from six in January, and Georgia Tech estimates the actual figure is five to ten times higher than what is detected.

Lovable is the fastest-growing software startup in history by several measures. It is also a company that closed a critical vulnerability report without reading it, left thousands of projects exposed for 48 days, and responded to public disclosure by denying a breach, blaming its documentation, blaming its bug bounty partner, and then apologising for the apology. The pattern is not unique to Lovable. It is the pattern of a category that has built extraordinary tools for creating software and almost nothing for securing it.