Latest News

Security researchers found a weakness in OpenAI’s Connectors, which let you hook up ChatGPT to other services, that allowed them to extract data from a Google Drive without any user interaction.

About Elevation of Privilege – Windows Update Service (CVE-2025-48799) vulnerability. This vulnerability is from the July Microsoft Patch Tuesday. Improper link resolution before file access (‘link following’) in the Windows Update Service allows an authorized attacker to elevate privileges to “NT AUTHORITY\SYSTEM”. 🛠 An exploit for this vulnerability was published by researcher Filip Dragović (Wh04m1001) […]

Secrets managers hold all the keys to an enterprise's kingdom. Two popular ones had longstanding, critical, unauthenticated RCE vulnerabilities.

A SecAlliance report reveals Chinese smishing syndicates compromised 115M US payment cards by bypassing MFA to exploit Apple Pay and Google Wallet.

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references. ### Original Description Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

The now-patched vulnerabilities exist at the firmware level and enable deep persistence on compromised systems.

Cybersecurity researchers have demonstrated an "end-to-end privilege escalation chain" in Amazon Elastic Container Service (ECS) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. The attack technique has been codenamed ECScape by Sweet Security researcher Naor Haziz, who presented the findings today at the

The malicious ad tech purveyor known as VexTrio Viper has been observed developing several malicious apps that have been published on Apple and Google's official app storefronts under the guise of seemingly useful applications. These apps masquerade as VPNs, device "monitoring" apps, RAM cleaners, dating services, and spam blockers, DNS threat intelligence firm Infoblox said in an exhaustive

New research reveals that a malicious traffic distribution system (TDS) is run not by "hackers in hoodies," but by a series of corporations operating in the commercial digital advertising industry.

Using invisible prompts, the attacks demonstrate a physical risk that could soon become reality as the world increasingly becomes more interconnected with artificial intelligence.