#auth

Nikkei confirms breach after a virus infected an employee PC, exposing 17,368 names and Slack chat histories. The media giant reported the incident voluntarily.

### Summary ZITADEL's Organization V2Beta API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users with specific **administrator** roles within one organization to access and modify data belonging to **other** organizations. ### Impact ZITADEL's Organization V2Beta API, intended for managing ZITADEL organizations, contains multiple endpoints that fail to properly authorize authenticated users. An attacker with an administrator role for a specific organization could exploit this to bypass access controls and perform unauthorized actions on other organizations within the same ZITADEL instance. This could allow an attacker to: - **Read** organization data, including the name, domains and metadata. - **Manipulate** (modify) the corresponding organization data. - **Delete** the corresponding data, up to and including the entire organization. Note that this vulnerability is limited to organization-level data (name, domains, metadata). **No oth...

An XML External Entity (XXE) vulnerability exists in multiple WSO2 products due to improper configuration of the XML parser. The application parses user-supplied XML without applying sufficient restrictions, allowing resolution of external entities. A successful attack could enable a remote, unauthenticated attacker to read sensitive files from the server's filesystem or perform denial-of-service (DoS) attacks that render affected services unavailable.

In addition to affordability, New York City’s mayor-elect will be forced to reckon with the NYPD’s sweeping mass surveillance operations.

JFrog researchers found a critical RCE vulnerability (CVE-2025-11953) in the popular React Native CLI. Developers using versions 4.8.0-20.0.0-alpha.2 must update to patch the flaw.

Private markets used to operate behind closed doors, exclusive, informal, and built on personal connections more than structure.…

Google on Wednesday said it discovered an unknown threat actor using an experimental Visual Basic Script (VB Script) malware dubbed PROMPTFLUX that interacts with its Gemini artificial intelligence (AI) model API to write its own source code for improved obfuscation and evasion. "PROMPTFLUX is written in VBScript and interacts with Gemini's API to request specific VBScript obfuscation and

Cybersecurity researchers have disclosed a new set of vulnerabilities impacting OpenAI's ChatGPT artificial intelligence (AI) chatbot that could be exploited by an attacker to steal personal information from users' memories and chat histories without their knowledge. The seven vulnerabilities and attack techniques, according to Tenable, were found in OpenAI's GPT-4o and GPT-5 models. OpenAI has

Chrome’s enhanced autofill makes storing your passport and ID easy—but convenience like this can come at a high cost.

An attacker with a valid read-only account can bypass Doris MCP Server’s read-only mode due to improper access control, allowing modifications that should have been prevented by read-only restrictions. Impact: Bypasses read-only mode; attackers with read-only access may perform unauthorized modifications. Recommended action for operators: Upgrade to version 0.6.0 as soon as possible (this release contains the fix).