Tag
#git
### Summary Reflected XSS in /api/icon/getDynamicIcon due to unsanitized SVG input. ### Details The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. ### PoC Payload: `test</text><script>alert(window.origin)</script><text>` 1. Open any note and click Change Icon -> Dynamic (Text). <img width="713" height="373" alt="image" src="https://github.com/user-attachments/assets/8a4f5ec4-81d6-46cb-8872-841cb2188ed8" /> 2. Change color and paste the payload into the Custom field and click on this icon. <img width="935" height="682" alt="image" src="https://github.com/user-attachments/assets/24d28fbd-a3ce-44f1-a5bb-2cc3f711faf5" /> 3. Intercept and send the request or get path from devtools <img width="1229" height="627" alt="image" src="https://github.com/use...
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
2025 has been a year of innovation in automation for customers of Red Hat Ansible Automation Platform. Here are just a few stories from customers that exemplify how Ansible Automation Platform has helped organizations turn automation into a foundation for long-term success.Automation as the foundation for enterprise growthIn 2025, automation evolved from a tactical tool into the foundational architecture for organizations to scale, operate, and adapt. Customers adopted Ansible Automation Platform as a centralized automation control plane, integrating it with other platforms like Red Hat Enterp
### Impact If Windows MDM is enabled, an attacker can enroll rogue devices by submitting a forged JWT containing arbitrary identity claims. Due to missing JWT signature verification, Fleet accepts these claims without validating that the token was issued by Azure AD, allowing enrollment under any Azure AD user identity. ### Patches - 4.78.3 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 ### Workarounds If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. ### For more information If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
### Impact Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. ### Patches - 4.78.3 - 4.77.1 - 4.76.2 - 4.75.2 - 4.53.3 ### Workarounds If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist. ### For more information If you have any questions or comments about this advisory: Email us at [security@fleetdm.com](mailto:security@fleetdm.com) Join #fleet in [osquery Slack](https://join.slack.com/t/osquery/shared_invite/zt-h29zm0gk-s2DBtGUTW4CFel0f0IjTEw)
Atlanta, GA, United States, 20th January 2026, CyberNewsWire
### Summary A race condition in Turbo Frames allows delayed HTTP responses to restore stale session cookies after session-modifying operations. ### Details Browsers automatically process Set-Cookie headers from HTTP responses. When a Turbo Frame request is in-flight during a session-modifying action (such as logout), the delayed response may include a Set-Cookie header reflecting the session state at request time. This can result in stale session cookies being restored after the session was intentionally modified or invalidated. This condition can occur naturally on slow networks. An active network attacker capable of delaying responses could potentially exploit this to restore previous session state. ### Impact Applications using Turbo Frames with cookie-based session storage may experience: - Session state reversion after logout - Unintended restoration of previous authentication state The impact is limited to applications using client-side cookie storage for sessions. Ap...
The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved
### Summary ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. ### Details ChatterBot relies on SQLAlchemy for database access and uses a connection pool with default limits. The get_response() method does not enforce concurrency limits, rate limiting, or explicit session lifecycle controls. When multiple threads concurrently invoke get_response(), database connections are rapidly consumed and not released in a timely manner. This leads to exhaustion of the SQLAlchemy QueuePool, causing subsequent requests to block and eventually fail with a TimeoutError. This issue can be triggered without authentication in deployments where ChatterBot is exposed as a chatbot service, making it exploitable by...
A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.