Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Nexar dashcam video database hacked

A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars,...

Malwarebytes
Open in Source
#web#apple#google#microsoft#amazon#perl#aws#auth
CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity. "Sitecore Experience Manager (XM), Experience

Chess.com Hit by Limited Data Breach Linked to 3rd-Party File Transfer Tool

Chess.com confirms a limited data breach affecting 4,500 users after a third-party file transfer tool was compromised. No…

TAG-150 Develops CastleRAT in Python and C, Expanding CastleLoader Malware Operations

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT. "Available in both Python and C variants, CastleRAT's core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell," Recorded Future Insikt Group

SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild. The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month. "SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module

GHSA-hfrj-3w3g-jv32: TkEasyGUI Vulnerable to OS Command Injection

Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources.

GHSA-ph2w-cx28-vhrq: TkEasyGUI Affected by Uncontrolled Search Path Element Issue

Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program.

Model Namespace Reuse Flaw Hijacks AI Models on Google and Microsoft Platforms

A new security vulnerability called ‘Model Namespace Reuse’ allows attackers to hijack AI models on Google, Microsoft, and…

GHSA-8xx5-h6m3-jr33: Presta Shop vulnerable to email enumeration

### Impact An unauthenticated attacker with access to the back-office URL can manipulate the id_employee and reset_token parameters to enumerate valid back-office employee email addresses. Impacted parties: Store administrators and employees: their email addresses are exposed. Merchants: risk of phishing, social engineering, and brute-force attacks targeting admin accounts. ### Patches PrestaShop 8.2.3 ### Workarounds You must upgrade, or at least apply the changes from the PrestaShop 8.2.3 patch. More information: https://build.prestashop-project.org/news/2025/prestashop-8-2-3-security-release/

US Congressman’s Brother Lands No-Bid Contract to Train DHS Snipers

DHS says retired Marine sniper Dan LaLota’s firm is uniquely qualified to meet the government’s needs. LaLota tells WIRED his brother, GOP congressman Nick LaLota, played no role in the contract.