Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Startup Spotlight: Twine Security Tackles the Execution Gap

The company, one of four finalists in this year's Black Hat USA Startup Spotlight competition, uses multi-agent system to build AI Digital Employees.

DARKReading
Open in Source
#git
FBI Accessed Windows Laptops After Microsoft Shared BitLocker Recovery Keys

If you are using a Windows PC, your privacy and security are nothing short of a myth, and this incident proves it.

Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT. "The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and

Who Approved This Agent? Rethinking Access, Accountability, and Risk in the Age of AI Agents

AI agents are accelerating how work gets done. They schedule meetings, access data, trigger workflows, write code, and take action in real time, pushing productivity beyond human speed across the enterprise. Then comes the moment every security team eventually hits: “Wait… who approved this?” Unlike users or applications, AI agents are often deployed quickly, shared broadly,

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions

### Summary Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false). ### Details OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs. ### PoC ``` curl -i -H 'Accept-Language: en' \ http://192.168.40.16/phpmyfaq/api/v3.0/open-questions ``` ### Impact Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.

GHSA-c32p-wcqj-j677: CometBFT has inconsistencies between how commit signatures are verified and how block time is derived

# CSA-2026-001: Tachyon ## Description **Name:** CSA-2026-001: Tachyon **Criticality:** Critical (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) **Affected versions:** All versions of CometBFT **Affected users:** Validators and protocols relying on block timestamps ## Description A consensus-level vulnerability was discovered in CometBFT's "BFT Time" implementation due to an inconsistency between how commit signatures are verified and how block time is derived. This breaks a core BFT Time guarantee: "A faulty process cannot arbitrarily increase the Time value." ## Impact Downstream impact on chains affects any module, smart contract, or system that relies on the block timestamp. ## Patches The new CometBFT releases [v0.38.21](https://github.com/cometbft/cometbft/releases/tag/v0.38.21) and [v0.37.18](https://github.com/cometbft/cometbft/releases/tag/v0.37.18) fix this issue. The `...

GHSA-wvqx-m5px-6cmp: XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages

### Impact A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. ### Patches This vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf#diff-8f16efedd19baae025db602d8736a105bfd8f72676af2c935b8195a0c356ee71) can be applied manually, only a single line in `templates/logging_macros.vm` needs to be changed, no restart is required. ### References * https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf * https://jira.xwiki.org/browse/XWIKI-23462 ### Attribution We thank Mike Cole @mikecole-mg for discovering and reporting this v...

Spammers abuse Zendesk to flood inboxes with legitimate-looking emails, but why?

Spammers are abusing Zendesk to flood inboxes with emails from trusted brands. There’s no phishing or malware—just noise.

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat