Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-hg3j-6pmh-mvjr: Fiora chat user avatar is vulnerable to XSS via SVG files

Cross Site Scripting (XSS) vulnerability in Fiora chat application 1.0.0 allows arbitrary JavaScript execution when malicious SVG files are rendered by other users.

ghsa
Open in Source
#xss#vulnerability#web#java#auth
New WireTap Attack Extracts Intel SGX ECDSA Key via DDR4 Memory-Bus Interposer

In yet another piece of research, academics from Georgia Institute of Technology and Purdue University have demonstrated that the security guarantees offered by Intel's Software Guard eXtensions (SGX) can be bypassed on DDR4 systems to passively decrypt sensitive data. SGX is designed as a hardware feature in Intel server processors that allows applications to be run in a Trusted Execution

Meet SpamGPT and MatrixPDF, AI Toolkits Driving Malware Attacks

Cybersecurity researchers at Varonis have discovered two new plug-and-play cybercrime toolkits, MatrixPDF and SpamGPT. Learn how these AI-powered tools make mass phishing and PDF malware accessible to anyone, redefining online security risks.

GHSA-m8rj-ppph-mj33: @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

### Impact When visiting a specific URL, an anonymous user could cause the NodeJS server part of Volto to quit with an error. ### Patches The problem has been patched and the patch has been backported to Volto major versions down until 16. It is advised to upgrade to the latest patch release of your respective current major version: - Volto 16: [16.34.1](https://github.com/plone/volto/releases/tag/16.34.1) - Volto 17: [17.22.2](https://github.com/plone/volto/releases/tag/17.22.2) - Volto 18: [18.27.2](https://github.com/plone/volto/releases/tag/18.27.2) - Volto 19: [19.0.0-alpha6](https://github.com/plone/volto/releases/tag/19.0.0-alpha.6) ### Workarounds Make sure your setup automatically restarts processes that quit with an error. This won't prevent a crash, but it minimises downtime. ### Report The problem was discovered by FHNW, a client of Plone provider kitconcept, who shared it with the Plone Zope Security Team (security@plone.org).

GHSA-5m5w-w2h2-fqgq: SPDK is vulnerable to buffer overflow in the NVMe-oF target component

Storage Performance Development Kit (SPDK) 25.05 is vulnerable to Buffer Overflow in the NVMe-oF target component in SPDK - lib/nvmf.

A $50 'Battering RAM' Can Bust Confidential Computing

Researchers have demonstrated an attack that can break through modern Intel and AMD processor technologies that protect encrypted data stored in memory.

Undead Operating Systems Haunt Enterprise Security Networks

Windows 10 reaches end-of-life on Oct. 14, which will triple the number of vulnerable enterprise systems and create a massive attack surface for cybercriminals.

Gemini AI flaws could have exposed your data

Google’s Gemini AI suite had vulnerabilities that let attackers hide malicious instructions in everyday web activity.

OneLogin Bug Let Attackers Use API Keys to Steal OIDC Secrets and Impersonate Apps

A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect (OIDC) application client secrets under certain circumstances. The vulnerability, tracked as CVE-2025-59363, has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of

Detour Dog’s DNS Hijacking Infects 30,000 Websites with Strela Stealer

Infoblox reveals how the Detour Dog group used server-side DNS to compromise 30,000+ sites across 89 countries, installing the stealthy Strela Stealer malware.