Latest News

### Summary The approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. ### PoC - setup ``` mkdir ~/public123 move a png file under ~/public123 with name test.png cd npm i ipx ``` - `main.js` ```js import { createIPX, ipxFSStorage } from "ipx"; const ipx = createIPX({ storage: ipxFSStorage({ dir: "./public" }), }); (async () => { { const source = await ipx("../public123/test.png"); // access file outside ./public dir because of same prefix folder const { data, format } = await source.process(); console.log(format) // print image data } { try { const source = await ipx("../publi123/test.png"); // forbidden path: the prefix is not the same const { data, format } = await source.process(); console.log(data) } ca...

An uptick of ransomware activity by the group in late July that uses the vendor's SSL VPN devices for initial intrusion shows evidence of an as-yet-undisclosed flaw under exploitation.

Cybersecurity threats to local governments are part of life in the digital environment in which people live today.…

Investing in building a human-centric defense involves a combination of adaptive security awareness training, a vigilant and skeptical culture, and the deployment of layered technical controls.

Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer. The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint

A new security flaw, LegalPwn, exploits a weakness in generative AI tools like GitHub Copilot and ChatGPT, where malicious code is disguised as legal disclaimers. Learn why human oversight is now more critical than ever for AI security.

Malware isn’t just trying to hide anymore—it’s trying to belong. We’re seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It’s not just about being malicious—it’s about being believable.

Security researchers at Bitdefender have found two critical vulnerabilities (CVE-2025-31700, CVE-2025-31701) in popular Dahua security cameras, including the Hero C1 model.

Some of the most devastating cyberattacks don’t rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties

The Defense Department operates slot machines on US military bases overseas, raising millions of dollars to fund recreation for troops—and creating risks for soldiers prone to gambling addiction.