Latest News

### Impact XWiki's REST API doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the `/rest/wikis/xwiki/spaces` resource returns all spaces on the wiki by default, which are basically all pages. ### Patches XWiki 17.7.0RC1, 17.4.4 and 16.10.11 introduce a configurable limit, limiting responses to 1000 items by default. Requesting larger limits leads to an error now. ### Workarounds We're not aware of any workaround, except denying access to the affected REST resources in a proxy in front of XWiki.

### Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution. ### Patches This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2) can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

New records about the infamous sex offender are released seemingly every week. Here’s a quick rundown of who’s releasing the Epstein documents, what they contain—and what they’re releasing next.

Three security vulnerabilities have been disclosed in the Peripheral Component Interconnect Express (PCIe) Integrity and Data Encryption (IDE) protocol specification that could expose a local attacker to serious risks. The flaws impact PCIe Base Specification Revision 5.0 and onwards in the protocol mechanism introduced by the IDE Engineering Change Notice (ECN), according to the PCI Special

GhostFrame uses dynamic subdomains and hidden iframes to help attackers slip past basic security tools.

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code. Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world. Next week, the Cortex Cloud team at Palo Alto Networks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation

Ukrainian national Victoria Dubranova is in U.S. custody, accused of supporting Russian hacker group NoName057 in cyberattacks on critical infrastructure. She has pleaded not guilty.