Latest News

### Summary A XSS(cross-site scripting) vulnerability is caused by insufficient filtering of input by web applications. Attackers can leverage this XSS vulnerability to inject malicious script code (HTML code or client-side Javascript code) into web pages, and when users browse these web pages, the malicious code will be executed, and the victims may be vulnerable to various attacks such as cookie data theft, etc. ### Details 1. Send a Message `<iframe src="javascript:alert(document.cookie);">` from User in a chat box: <img width="1396" alt="image" src="https://github.com/user-attachments/assets/b472e304-9e7a-40d2-8469-675a5f0744e5" /> ##### Trigger in other ways: 2. Create a Agentflow in cloud platform (https://cloud.flowiseai.com/agentflows) 3. Create a Custom function as an example, use the below example code. ``` const fetch = require('node-fetch'); const url = 'https://external.website'; const options = { method: 'GET', headers: { 'Content-Type': 'application/js...

All functions under `wrflib::byte_extract` are simply wrapper of unsafe pointer offset and lacks sufficient checks to it pointer and offset parameter. `wrflib` is unmaintained.

### Summary A Cross-Site Scripting (XSS) risk exists in NiceGUI when developers render unescaped user input into the DOM using `ui.html()`. Before version 3.0, NiceGUI does not enforce HTML or JavaScript sanitization, so applications that directly combine components like `ui.input()` with `ui.html()` without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Same holds for `ui.chat_message` with HTML content. Applications that directly reflect user input via `ui.html()` (or `ui.chat_message` in HTML mode) are affected. This may lead to client-side code execution (e.g., session hijacking or phishing). Applications that do not pass untrusted input into ui.html() are not affected. ### Details NiceGUI allows developers to bind user input directly into the DOM using `ui.html()` or `ui.chat_message()`. However, the library does not enforce any HTML or JavaScript sanitization, which potentially creates a dangerous attack surface for developers unaware of t...

Dutch Prime Minister Dick Schoof described the incident as part of a broader pattern of Russian hybrid attacks against Europe.

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer. That's according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish. The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when

A leak site from Scattered LAPSUS$ Hunters alleges Salesforce breach, with hackers claiming 1B records stolen and 39 major companies affected

Bitsight warns ICS/OT exposure jumped 12% in 2024, leaving 180,000+ critical infrastructure systems open to attack. Learn about the possible vulnerabilities and new malware strains.

The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others. "Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a

The company likely failed to completely clean out attackers from a previous breach and now is a case study for the high cost of ransomware.

### Summary phpMyFAQ does not enforce uniqueness of email addresses during user registration. This allows multiple distinct accounts to be created with the same email. Because email is often used as an identifier for password resets, notifications, and administrative actions, this flaw can cause account ambiguity and, in certain configurations, may lead to privilege escalation or account takeover. ### Details An account management logic flaw in phpMyFAQ allows attackers to register multiple accounts under the same email address. If email is used for password reset or administrative flows, this may result in account takeover, loss of accountability, and abuse of business logic. ### PoC 1.Register a user with email test@example.com 2.Register another user with the same email. 3.Both accounts appear in /admin/?action=user&user_action=listallusers. <img width="1150" height="628" alt="image" src="https://github.com/user-attachments/assets/8c19f01a-e897-4ca7-b3f8-fcf83e6ff952" /> ### Imp...