#auth

### Impact If Windows MDM is enabled, an attacker could exploit a cross-site scripting (XSS) vulnerability by convincing an authenticated Fleet user to visit a malicious link. Successful exploitation could allow retrieval of the user’s Fleet authentication token from their browser. A compromised authentication token may grant administrative access to the Fleet API, allowing an attacker to perform privileged actions such as deploying scripts to managed hosts. This issue does not allow unauthenticated access and does not affect instances where Windows MDM is disabled. ### Patches - 4.78.2 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 ### Workarounds If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. ### For more information If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DB...

Atlanta, GA, United States, 20th January 2026, CyberNewsWire

Internal ICE planning documents propose spending up to $50 million on a privately run network capable of shipping immigrants in custody hundreds of miles across the Upper Midwest.

### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Ap...

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved

### Summary ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. ### Details ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls. When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError. This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by...

Huntress discovers 'CrashFix,' a new attack by KongTuke hacker group using fake ad blockers to crash browsers and trick office workers into installing ModeloRAT malware.

### Summary `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. ### Details `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. ### PoC ``` ATTACKER_TOKEN="xx" VICTIM_KB="kb_tuLBfskdDN1r" VICTIM_FILE="file_v5wCNLqSaoPp" curl -X POST "https://localhost/trpc/lambda/knowledgeBase.removeFilesFromKnowledgeBase?batch=1" -H "Content-Type: application/json" -b "__Secure-better-auth.session_token=$ATTACKER_TOKEN" -d '{"0":{"json":{"knowledgeBaseId":"'"$VICTIM_KB"'","ids":["'"$VICTIM_FILE"'"]}}}' ``` Response: `{"result":{"data":{"json":{"command":"DELETE","rowCount":1,"oid":null,"rows":[],"fields":[]}}}}` ### Impact An attacker can delete files from any user's KB. RAG/AI functionality broken when files removed. It could cause loss of important documents, proprietary data etc. Wh...

# Kimai 2.45.0 - Authenticated Server-Side Template Injection (SSTI) ## Vulnerability Summary | Field | Value | |-------|-------| | **Title** | Authenticated SSTI via Permissive Export Template Sandbox || **Attack Vector** | Network | | **Attack Complexity** | Low | | **Privileges Required** | High (Admin with export permissions and server access) | | **User Interaction** | None | | **Impact** | Confidentiality: HIGH (Credential/Secret Extraction) | | **Affected Versions** | Kimai 2.45.0 (likely earlier versions) | | **Tested On** | Docker: kimai/kimai2:apache-2.45.0 | | **Discovery Date** | 2026-01-05 | --- **Why Scope is "Changed":** The extracted `APP_SECRET` can be used to forge Symfony login links for ANY user account, expanding the attack beyond the initially compromised admin context. --- ## Vulnerability Description Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects av...

The new EU-funded GCVE project is breaking dependence on US databases to track software flaws. Discover how this decentralised system aims to ensure global cybersecurity.