Latest News

Email is still the backbone of how businesses communicate, with more than 300 billion messages sent every day.…

### Summary A cache poisoning issue in **Next.js App Router >=15.3.0 and < 15.3.3** may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in **Next.js 15.3.3**. Users on affected versions should **upgrade immediately** and **redeploy** to ensure proper caching behavior. More details: [CVE-2025-49005](https://vercel.com/changelog/cve-2025-49005)

### Summary Page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. ### Details The descriptions, which are unsanitized, are inserted as raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d4dfc3697a82948b3b9c4d44e9a273c79bc86b87/resources/skins.citizen.search/templates/TypeaheadListItem.mustache#L18 ### PoC All of the reproduction methods require the command palette to be disabled via `$wgCitizenEnableCommandPalette = false;`. Additionally, the action API must be used as the Search Gateway via `$wgCitizenSearchGateway = 'mwActionApi';`. #### TextExtracts as the description source * Enable the TextExtracts extension * Add `$wgCitizenSearchDescriptionSource = 'textextracts';` to your LocalSettings.php * Create a page called `CitizenXSSTextExtracts` and insert `<img src="" onerror="alert('citizen search xss')">` into it * Open the search modal and search for `CitizenXSSTextExtracts` ![ima...

## Summary An authorization vulnerability was discovered in the `/rest/executions/:id/stop` endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. ### Impact This is an **improper authorization** vulnerability. While most API methods enforce user-scoped access to workflow execution IDs, the `/stop` endpoint fails to do so. An attacker can guess or enumerate execution IDs (which are sequential and partially exposed via verbose error messages) and terminate active workflows initiated by other users. **Who is impacted:** - Environments where multiple users with varying trust levels share access to the same n8n instance. - All users running long-running or time-sensitive workflows (e.g., using the `wait` node). An attacker with authenticated access can exploit this flaw to: - Disrupt other users’ workflow executions. - Cause denial of service for business-critical automa...

The platform, which allows users to anonymously share the locations of ICE agents, is currently the third-most-downloaded iPhone app.

This Fourth of July, Bruce, the 25-foot mechanical shark from Jaws, shares how his saltwater struggles mirror the need for real-world cybersecurity stress testing.

Silent Push exposes thousands of fake e-commerce websites spoofing major brands like Apple and Michael Kors. Learn how this Chinese phishing scam targets shoppers and steals financial data, impacting global consumers.

Customs and Border Protection is asking companies to pitch tools for performing deep analysis on the contents of devices seized at the US border.

A vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual `<script>` element. If an attacker injected an HTML element such as: ``` <img name="currentScript" src="https://malicious.example.com"> ``` it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an <img> element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements (e.g., name="currentScript") become properties on the global document object. ## Impact An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. ## Fix https://github.com/AmauriC/tarteaucitron.js/commit/230a3b69d363837acfa895823d841e0608826ba3 The issue was resolved by verifying that document.currentScript is an instance of HTMLScriptElement. If not, the script now fa...

In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But more than a month later, the accused continues to openly operate accounts at a slew of American tech companies, including Facebook, Github, LinkedIn, PayPal and Twitter/X.