Security
Headlines
HeadlinesLatestCVEs

Latest News

UK Police Arrest Two Teens Over Kido Nursery Ransomware Attack

Met Police arrested two teenagers over the Kido nursery ransomware attack, which exposed data for 8,000 children. Full details on the hack and police investigation.

HackRead
Open in Source
#vulnerability#web
GHSA-893r-jr58-3hxr: Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

GHSA-378f-8q54-3fqx: Liferay Portal is vulnerable to Stored XSS through Forms text type field

Stored cross-site scripting (XSS) vulnerability in Forms in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a form with a rich text type field.

GHSA-q8fj-76q7-4p7h: Liferay Portal Notifications Widget has multiple XSS vulnerabilities through various text fields

Multiple cross-site scripting (XSS) vulnerabilities in the Notifications widget in Liferay Portal 7.4.3.102 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5 and 2023.Q3.1 through 2023.Q3.10 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into (1) a user’s “First Name” text field, (2) a user’s “Middle Name” text field, (3) a user’s “Last Name” text field, (4) the “Other Reason” text field when flagging content, or (5) the name of the flagged content.

GHSA-q769-phqg-263r: VaahCMS is vulnerable to XSS through its Avatar Upload endpoint

Cross-Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php

GHSA-fjrp-77f3-43xj: Liferay Portal is vulnerable to XXS through its Commerce Product's Name text field

Cross-site scripting (XSS) vulnerability in the Commerce Product Comparison Table widget in Liferay Portal 7.4.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Commerce Product's Name text field.

Modeling scams see mature models as attractive new prospects

Modeling scammers are reinventing old tricks for the social media age—targeting not just the young, but older adults too.

China-Nexus Actors Weaponize 'Nezha' Open Source Tool

A threat actor is putting a spin on classic remote monitoring and management (RMM) attacks, using a Chinese open source tool instead.

Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web

Calling All Influencers: Spear-Phishers Dangle Tesla, Red Bull Jobs

Wanna work for a hot brand? Cyberattackers continue to evolve lures for job seekers in an impersonation campaign aimed at stealing résumés from social media pros.