Security
Headlines
HeadlinesLatestCVEs

Latest News

Researcher Wipes White Supremacist Dating Sites, Leaks Data on okstupid.lol

Security researcher in "Martha Root" in Pink Power Ranger deletes white supremacist dating sites live onstage, leaks 8,000 profiles and 100GB of data at Chaos Communication Congress (CCC) 2025.

HackRead
Open in Source
#vulnerability#web#ios#mac#ddos#wordpress#perl#nginx#bios#auth
8 WhatsApp Features to Boost Your Security and Privacy

Meta’s end-to-end encrypted messaging app is used by billions of people. Here’s how to make sure you’re one of the most locked-down ones out there.

Finnish Authorities Detain Crew After Undersea Internet Cable Severed

After a sudden internet cable break between Finland and Estonia, authorities have seized the cargo ship Fitburg. With two crew members arrested and sanctioned steel found on board, investigators are now probing if this was an accident or a deliberate act of hybrid warfare.

Resecurity Says ShinyHunters Fell for Honeypot After Breach Claim

Resecurity denies breach claims by ShinyHunters, says attackers accessed a honeypot with fake data. No real systems or customer info were compromised.

ShinyHunters Claim Breach of US Cybersecurity Firm Resecurity (Updated)

This article has been updated with a statement from Resecurity. A separate, updated article covering the incident has…

RondoDox Botnet is Using React2Shell to Hijack Thousands of Unpatched Devices

RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites.

How to Protect Your iPhone or Android Device From Spyware

Being targeted by sophisticated spyware is relatively rare, but experts say that everyone needs to stay vigilant as this dangerous malware continues to proliferate worldwide.

Protecting Your Digital Wallet: What You Need to Know About Fintech Security

The world of finance has undergone a remarkable transformation with the rise of digital wallets and financial technology…

GHSA-jmr4-p576-v565: listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover

## Security Advisory: Stored XSS Leading to Admin Account Takeover **Affected Versions:** ≤ 5.1.0 **Vulnerability Type:** CWE-79: Stored Cross-Site Scripting --- ## Summary A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the **public archive feature**, where victims simply need to visit a link - no preview click required. --- ## Required Attacker Permissions ``` campaigns:manage - Create/edit campaigns campaigns:get - View campaigns lists:get_all - Access lists templates:get - Access templates ``` **Note:** These are common permissions for content managers who are not full admins. --- ## Attack Vectors ### Vector 1: Raw HTML (Direct ...

GHSA-mqhg-v22x-pqj8: Bagisto is vulnerable to SSTI via name parameters provided by non-admin low-privilege users

### Summary SSTI is possible via first name and last name parameters provided by lowest-privileged users. ### Details 1. Go to `http://127.0.0.1:8000/` and login or signup 2. Go to `http://127.0.0.1:8000/customer/account/profile` 3. Now edit the first name and last name to {{7*7}} 4. Notice it appears as 49 ### POC - Video attached with the report: https://github.com/user-attachments/assets/f93932b5-2a57-4f34-897e-4151a5168912 ### Impact This can lead to RCE, command injection.