Latest News

An email sent by the Department of Homeland Security instructs people in the US on a temporary legal status to leave the country. But who the email actually applies to—and who actually received it—is far from clear.

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High) https://nvd.nist.gov/vuln/detail/CVE-2025-2783 https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html https://issues.chromium.org/issues/405143032

## Summary `jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by `jupyter-remote-desktop-proxy` were still accessible via the network. This vulnerability does not affect users having TurboVNC as the `vncserver` executable. ## Credits This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

### Impact When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream. ### Patches If you are using ch-go library, we recommend you to update to at least version 0.65.0. ### Credit This issue was found by lixts and reported through our bugcrowd program.

SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.

Nations continue to sign the Code of Practice for States in an effort to curb commercial spyware, yet implementation and enforcement concerns have yet to be figured out.

### Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means (a delivered email). This would require access to the form's email notification settings. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

### Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to another, and would require direct manipulation of the JSON export, this is marked as moderate. This vulnerability will not occur unless someone deliberately tampers with the export. ### Patches This has been fixed in Formie 2.1.44. Users should ensure they are running at least this version.

The threat actor, also known as Goffee, has been active since at least 2022 and has changed its tactics and techniques over the years while targeting Russian organizations.