Latest News

The notorious Russian state-sponsored group relies on basic techniques that are highly effective, often delivering greater ROI than more complex malware-heavy operations.

The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing campaigns targeting entities in the country. "As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR)

Jonathan Ross told a federal court in December about his professional background, including “hundreds” of encounters with drivers during enforcement actions, according to testimony obtained by WIRED.

The CrowdStrike-SGNL deal underscores how identity security has become a critical component of enterprise cybersecurity as companies add cloud services and deploy AI-driven tools.

The Security Labs team at Snyk is reporting a security issue affecting Authlib, which was identified during a recent research project. A vulnerability has been identified that can result in a 1-click Account Takeover in applications that use the Authlib library. (5.7 CVSS v3: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) **Description** Cache-backed state/request-token storage is not tied to the initiating user session, so CSRF is possible for any attacker that has a valid state (easily obtainable via an attacker-initiated authentication flow). When a cache is supplied to the OAuth client registry, `FrameworkIntegration.set_state_data` writes the entire state blob under `_state_{app}_{state},` and `get_state_data` ignores the caller’s session altogether. \[1\]\[2\] ```py def _get_cache_data(self, key): value = self.cache.get(key) if not value: return None try: return json.loads(value) except (TypeError, ValueError): ret...

Exploitation of CVE-2025-37164 can enable remote code execution on HPE's IT infrastructure management platform, leading to devastating consequences.

CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. A defense-in-depth enhancement has been implemented in the AWS SDK for Swift. This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on November 6, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK was functioning safely within the requirements of the shared responsibility model, additional safeguards have been added to support secure customer implementations. Impacted versions: All versions prior to 2025-11-06 release (below 1.5.79) Patches On Novembe...

CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. Per the AWS shared responsibility model, customer applications should protect instances appropriately, or implement proper input sanitization checks. The AWS SDK for JavaScript v2 reached end-of-support on September 8, 2025, but a defense-in-depth enhancement has been implemented in AWS SDK for JavaScript v3. Please migrate to that version. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK itself is functioning as designed, we recommend customers migrate to AWS SDK for JavaScript v3 for continued support and enhanced security features. Impacted versions: All versions of AWS SDK for JavaScript v2 Patches No security patch is required, this i...

CVSSv3.1 Rating: 3.7 (LOW) Summary This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value. A defense-in-depth enhancement has been implemented in the AWS SDK for JavaScript v3 (versions 3.723.0 and later). This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on November 15, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security. Impact Customer applications could be configured to improperly route AWS API calls to non-existent or non-AWS hosts. While the SDK was functioning as designed, additional safeguards have been added to support secure customer implementations. Impacted versions: @smithy/config-resolver <4.4.0 Patches On November 15, 2025, an enhancement was made to t...

### Summary The fix [here](https://github.com/vllm-project/vllm/pull/27204) for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cause, so the DoS vulnerability remains when the feature is enabled. ### Details vLLM's pending change attempts to fix the root cause, which is the missing sparse tensor validation. PyTorch (~v2.0) disables sparse tensor validation (specifically, sparse tensor invariants checks) by default for performance reasons. vLLM is adding the sparse tensor validation to ensure indices are valid, non-negative, and within bounds. These checks help catch malformed tensors. ### PoC NA ### Impact Current fix only added a flag to disable/enable prompt embeds, so by default, prompt embeds feature is disabled in vLLM, which stops DoS attacks through the embeddings. However, It doesn’t address the problem when the flag is enabled and there is still potential for DoS attacks. ### Changes * https://github.co...