#auth

### Summary A directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem. ### Details Hello, I am Seungbin Yang, a university student studying cybersecurity. While reviewing the source code of the repository, I discovered a potential vulnerability and successfully verified it with a PoC. The `App.add_media_files(url_path, local_directory)` method allows users to serve media files. However, the implementation lacks proper path validation. ```python def add_media_files(self, url_path: str, local_directory: Union[str, Path]) -> None: @self.get(url_path.rstrip('/') + '/{filename:path}') def read_item(request: Request, filename: str, nicegui_chunk_size: int = 8192) -> Response: filepath = Path(local_directory) / filename if not filepath.is_file(): raise HTTPException(status_code=404, detail='Not Found') return get_range_response(filepath, request, chunk_siz...

The NCSC warns that prompt injection is unlikely to be mitigated in the same way SQL injection was. How do they compare?

SimpleX Chat’s X account hacked to promote fake crypto site urging users to connect wallets. Site mimicked official design to steal funds.

The core problem persists: anyone can still buy a 'verified' checkmark from X, so don't take their authenticity for granted.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: D-Link (India Limited), Sparsh Securitech, Securus CCTV Equipment: DCS-F5614-L1 Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in information disclosure including capture of camera account credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following D-Link CCTV camera model is confirmed to be affected; specific affected models for Sparsh Securitech and Securus CCTV are unavailable: DCS-F5614-L1: Versions v1.03.038 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL. CVE-2025-13607 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is ...

Attackers are blending automation, impersonation, and social engineering to get inside organizations. Here’s how to spot the signs.

Zero Trust helps organizations shrink their attack surface and respond to threats faster, but many still struggle to implement it because their security tools don’t share signals reliably. 88% of organizations admit they’ve suffered significant challenges in trying to implement such approaches, according to Accenture. When products can’t communicate, real-time access decisions break down. The

Cisco Talos has uncovered a new DeadLock ransomware campaign using a previously unknown BYOVD loader to exploit a Baidu Antivirus driver vulnerability, letting threat actors disable EDR defenses and escalate attacks.

Canadian organizations have emerged as the focus of a targeted cyber campaign orchestrated by a threat activity cluster known as STAC6565. Cybersecurity company Sophos said it investigated almost 40 intrusions linked to the threat actor between February 2024 and August 2025. The campaign is assessed with high confidence to share overlaps with a hacking group known as Gold Blade, which is also

Use after free in Windows Shell allows an authorized attacker to elevate privileges locally.