Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts

Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning (ERP) platforms like Workday, NetSuite, and SuccessFactors to take control of victim accounts. "The extensions work in concert to steal authentication tokens, block incident response capabilities, and enable complete account

The Hacker News
Open in Source
#web#mac#google#auth#chrome#The Hacker News
WhisperPair exposes Bluetooth earbuds and headphones to tracking and eavesdropping

Researchers demonstrated WhisperPair, a set of attacks that can take control of many widely used Bluetooth earbuds and headphones without user interaction.

GHSA-mx8m-v8qm-xwr8: Mattermost is vulnerable to DoS due to infinite re-renders on API errors

Mattermost versions 10.11.x <= 10.11.8, 11.1.x <= 11.1.1, 11.0.x <= 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops.

GHSA-7c2f-r6gc-h92h: Apache Airflow proxy credentials for various providers might leak in task logs

In Apache Airflow versions before 3.1.6, the proxies and proxy fields within a Connection may include proxy URLs containing embedded authentication information. These fields were not treated as sensitive by default and therefore were not automatically masked in log output. As a result, when such connections are rendered or printed to logs, proxy credentials embedded in these fields could be exposed. Users are recommended to upgrade to 3.1.6 or later, which fixes this issue

Operation Endgame: Dutch Police Arrest Alleged AVCheck Operator

Dutch police arrest the alleged AVCheck operator at Schiphol as part of Operation Endgame, a global effort targeting malware services and cybercrime.

Dutch police sell fake tickets to show how easily scams work

A fake ticket website that ended with a digital finger-wag showed just how many people still fall for concert and sports ticket scams.

GHSA-9r42-rhw3-2222: Mattermost is vulnerable to CPU exhaustion via crafted HTTP request

Mattermost versions 10.11.x <= 10.11.8 fail to validate input size before processing hashtags which allows an authenticated attacker to exhaust CPU resources via a single HTTP request containing a post with thousands space-separated tokens.

CVE-2026-21223: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An authenticated local attacker can disable or enable Windows VBS without administrative privileges, resulting in bypass of platform security hardening. This does not grant direct code execution as another user but weakens system security guarantees, enabling follow‑on attacks.

CVE-2026-20960: Microsoft Power Apps Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

GHSA-hrvf-g648-rf3m: PlantUML is vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitrary script execution in the context of applications that render the SVG.