Latest News
VPN use is skyrocketing across the UK as the region's Online Safety Act places age verification controls on adult websites.
An unsealed indictment associated with the Chinese threat group shows its members worked for companies closely aligned with the PRC as part of a larger contractor ecosystem.
Cybersecurity trends in 2025 reveal rising AI threats, quantum risks, and supply chain attacks, pushing firms to adapt or face major data and financial losses.
### Impact This vulnerability affects oauth2-proxy deployments using the `skip_auth_routes` configuration option with regex patterns. The vulnerability allows attackers to bypass authentication by crafting URLs with query parameters that satisfy the configured regex patterns, potentially gaining unauthorized access to protected resources. The issue stems from `skip_auth_routes` matching against the full request URI (path + query parameters) instead of just the path as documented. This discrepancy enables authentication bypass attacks where attackers append malicious query parameters to access protected endpoints. Example Attack: * Configuration: `skip_auth_routes = [ "^/foo/.*/bar$" ]` * Intended behavior: Allow `/foo/something/bar` * Actual vulnerability: Also allows `/foo/critical_endpoint?param=/bar` Deployments using `skip_auth_routes` with regex patterns containing wildcards or broad matching patterns are most at risk, especially when backend services ignore unknown query para...
Fraudsters are flooding Discord and other social media platforms with ads for hundreds of polished online gaming and wagering websites that lure people with free credits and eventually abscond with any cryptocurrency funds deposited by players. Here's a closer look at the social engineering tactics and remarkable traits of this sprawling network of more than 1,200 scam sites.
** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts. This issue affects Apache Struts Extras: before 2. When using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated). As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
watchTowr's latest research details critical SonicWall SMA100 flaws (CVE-2025-40596, 40597, 40598). Discover how pre-auth stack/heap overflows and XSS put SSL-VPNs at risk. Patch now!
Apple has released important security updates for iOS and iPadOS patching 29 vulnerabilities, mostly in WebKit.
### Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. ### Details The proxy currently trusts only the ref‑update line (`oldOid → newOid`) and doesn't inspect the packfile’s contents Because the code only runs `git rev-list oldOid..newOid` to compute **introducedCommits** but **never** checks which commits actually arrived in the pack, a malicious client can append extra commits. Those “hidden” commits won’t be pointed to by any branch but GitHub still stores and serves them by SHA. <img width="2556" height="744" alt="Screenshot 2025-07-16 at 12 29 19" src="https://github.com/user-a...
### Summary An attacker can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. Because it can greatly affect system integrity, we classify this as a High impact vulnerability. ### Details GitProxy checks for the `0000000000000000000000000000000000000000` hash to detect new branches. This is used to process the commit accordingly in both `getDiff.ts` and `parsePush.ts`. However, the logic can be exploited as follows: 1. Make a commit in branch `a` (could be `main`) 2. Make a new branch `b` from that commit 3. Make a new commit in `b`, then approve it/get it approved 4. Go back to `a`, and attempt to push this commit to the proxy The unapproved commit from `a` will be pushed to the remote. ### PoC To reproduce this vulnerability: 1. Clone the target repository and make an unapproved commit on a mainline branch (e.g. main): ```bash git checkout -b a origin/main echo "DEBUG=true" > config.env git add config.env git comm...