Latest News
Google on Tuesday revealed that its large language model (LLM)-assisted vulnerability discovery framework discovered a security flaw in the SQLite open-source database engine before it could have been exploited in the wild. The vulnerability, tracked as CVE-2025-6965 (CVSS score: 7.2), is a memory corruption flaw affecting all versions prior to 3.50.2. It was discovered by Big Sleep, an
Using more than 600 domains, attackers entice Chinese-speaking victims to download a vulnerable Telegram app that is nearly undetectable on older versions of Android.
Fake Telegram apps are being spread through 607 malicious domains to deliver Android malware, using blog-style pages and phishing tactics to trick users.
McDonald's hiring platform was using its original default credentials and inadvertently exposed information belonging to approximately 64 million job applicants.
Experts recommend enhanced AI literacy, training around the ethics of using AI, and verification protocols to maintain credibility in an increasingly AI-influenced courtroom.
Metadata from the “raw” Epstein prison video shows approximately 2 minutes and 53 seconds were removed from one of two stitched-together clips. The cut starts right at the “missing minute.”
Since surfacing on GitHub in 2019, AsyncRAT has become a poster child for how open source malware can democratize cybercrime, with a mazelike footprint of variants available across the spectrum of functionality.
### Impact A path traversal vulnerability is possible during the import of an archive (in [Simple Archive Format](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566653)), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. _This vulnerability likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0_. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. **The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators** (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malic...
### Impact Two related XXE injection possibilities have been discovered, **impacting all versions of DSpace prior to 7.6.4, 8.2 and 9.1**. 1. External entities are not disabled when parsing XML files during import of an archive (in [Simple Archive Format](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566653)), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. _(Likely impacts all versions of DSpace 1.x <= 7.6.3, 8.0 <= 8.1, and 9.0)_ 2. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in [import from external sources](https://wiki.lyrasis.org/pages/viewpage.action?pageId=104566672) via the user interface or REST API. _(Impacts all versions of DSpace 7.0 <= 7.6.3, 8.0 <= 8.1 and 9.0)_ An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the ...
Beware! SVG images are now being used with obfuscated JavaScript for stealthy redirect attacks via spoofed emails. Get insights from Ontinue's latest research on detection and defence.