Latest News

Given this Hurl file: regex.hurl: ``` GET https://foo.com HTTP 200 [Asserts] jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/ ``` When exported to HTML: ``` $ hurlfmt --out html regex.hurl <pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span> </span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span> <span class="line"><span class="section-header">[Asserts]</span></span> <span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span> </span></span><span class="line"></span> </code></pre> ``` The regex literal `/<img src="" onerror="alert('Hi!')">/` is not escaped: `<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span...

# CWA-2025-006: Improper error handling may lead to IBC channel opening despite error **Severity** High (Considerable + Likely)[^1] **Affected versions:** - wasmd 0.60.0 - wasmd >= 0.51.0 < 0.55.1 **Patched versions:** - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 ## Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. ## Applying the patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same vers...

### Impact When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. ### Patches TBD ### Workarounds Configure `sslMode=verify-full` to prevent MITM attacks. ### References * https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256 * https://datatracker.ietf.org/doc/html/rfc7677 * https://datatracker.ietf.org/doc/html/rfc5802

Cloud resilience is no longer just about surviving service interruptions; it's about operating securely under any circumstances, across any geographic area.

Threat intelligence firm GreyNoise has warned of a "coordinated brute-force activity" targeting Apache Tomcat Manager interfaces. The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to "identify and access exposed Tomcat services at scale." To that end, 295 unique IP addresses have been found to be engaged

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

INTERPOL disrupts 20,000 infostealer domains in major cybercrime crackdown across Asia-Pacific, 32 arrested, 216K victims notified in Operation Secure.

The two campaigns are good examples of the ever-shrinking time-to-exploit timelines that botnet operators have adopted for newly published CVEs.

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.