Latest News

ClickFunnels is investigating a data breach after hackers leaked detailed business data, including emails, phone numbers, and company…

A business logic vulnerability in Easy Appointments v1.5.1 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

### Impact It is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts. Additionally, an active Input must be present on the Graylog server that is capable of receiving form data (e.g. a HTTP input, TCP raw or syslog etc). ### Patches ### Workarounds None, as long as the relatively rare prerequisites are met. Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd

### Impact Two minor vulnerabilities were identified in the Graylog2 enterprise server, which can be combined to carry out a stored cross-site scripting attack. An attacker with the permission `FILES_CREATE` can exploit these vulnerabilities to upload arbitrary Javascript code to the Graylog2 server, which - upon requesting of the file by a user of the API browser - results in the execution of this Javascript code in the context of the Graylog frontend application. This enables the attacker to carry out authenticated API requests with the permissions of the logged-in user, thereby taking over the user session. ### Patches The generic API has been removed in 6.2.0 rendering the attack vector unreachable and additional escaping has been added. Analysis provided by Fabian Yamaguchi - Whirly Labs (Pty) Ltd

`Match::get()` and `Match::ptr()` lack sufficient bounds checks, leading to potential out of bounds reads.

### Impact #### Mithril certification of Cardano database The Mithril network provides certification for snapshots of the Cardano database, enabling users to quickly bootstrap a Cardano node without relying on the slower peer-to-peer synchronization process. To generate a multi-signature, a minimum threshold of Cardano stake registered in the protocol must agree on signing the same message. In this context, a digest is computed from the internal files of the Cardano node's database. However, this mechanism has certain limitations. Specifically, some files are not identically generated across all Cardano nodes, and there is no API to provide consistent snapshots at a specific beacon on the Cardano chain: - All immutable files, except the last one (which is still being created), are used to compute the message - The last immutable file is excluded from the signature - The ledger state files are also excluded from the signature. #### Cardano node startup sequence A Cardano node can ...

US jury orders NSO Group to pay $168M to WhatsApp and Meta over Pegasus spyware use in 2019…

Europol has announced the takedown of distributed denial of service (DDoS)-for-hire services that were used to launch thousands of cyber-attacks across the world. In connection with the operation, Polish authorities have arrested four individuals and the United States has seized nine domains that are associated with the now-defunct platforms. "The suspects are believed to be behind six separate

A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  "This is due to the create_wp_connection() function missing a capability check and

The FBI has warned scammers are impersonating the IC3, tricking victims by claiming to be able to recover funds.