#git

ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands.

Horsham, United Kingdom, 25th November 2025, CyberNewsWire

A credential disclosure vulnerability was found in Grype, affecting versions `v0.68.0` through `v0.104.0`. If registry credentials are defined and the output of grype is written using the `--file` or `--output json=<file>` option, the registry credentials will be included unsanitized in the output file. ## Impact In Grype versions `v0.68.0` through `v0.104.0`, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue. Registry credentials can be set via the Grype configuration file (e.g. `registry.auth[].username`, `registry.auth[].password`, `registry.auth[].token`) or environment variables (e.g., `GRYPE_REGISTRY_AUTH_USERNAME`, `GRYPE_REGISTRY_AUTH_PASSWORD`, `GRYPE_REGISTRY_AUTH_TOKEN`). In order for the authentication details to be improperly ...

Cybersecurity researchers are calling attention to a new campaign that's leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a "critical" Windows security update. "Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising," Acronis said in a

Discover why reliability, scalability, and local support matter more than cost when choosing Australian web hosting for your tech stack.

### Impact OMERO.web uses the jquery-form library throughout to handle form submission and response processing. Due to some unpatched potential vulnerabilities in jquery-form, OMERO.web 5.29.2 and earlier may be susceptible to XSS attacks. ### Patches User should upgrade OMERO.web to 5.29.3 or higher. ### Workarounds None. ### Resources https://github.com/jquery-form/form/issues/604

### Summary Multiple path traversal and unsafe path handling vulnerabilities were discovered in eKuiper prior to the fixes implemented in PR [lf-edge/ekuiper#3911](https://github.com/lf-edge/ekuiper/pull/3911). The issues allow attacker-controlled input (rule names, schema versions, plugin names, uploaded file names, and ZIP entries) to influence file system paths used by the application. In vulnerable deployments, this can permit files to be created, overwritten, or extracted outside the intended directories, potentially enabling disclosure of sensitive files, tampering with configuration or plugin binaries, denial of service, or other host compromise scenarios. Several components used unvalidated user input when constructing filesystem paths or when extracting archives. In each case, input was accepted and used directly in path operations (join, create, delete, extract) without sufficient sanitization or canonicalization, allowing the input to include path separators, `..` segments,...

### Impact An attacker who uses this vulnerability can craft a PDF which leads to a memory usage of up to 1 GB per stream. This requires parsing the content stream of a page using the LZWDecode filter. This is a follow up to [GHSA-jfx9-29x2-rv3j](https://github.com/py-pdf/pypdf/security/advisories/GHSA-jfx9-29x2-rv3j) to align the default limit with the one for *zlib*. ### Patches This has been fixed in [pypdf==6.4.0](https://github.com/py-pdf/pypdf/releases/tag/6.4.0). ### Workarounds If users cannot upgrade yet, use the line below to overwrite the default in their code: ```python pypdf.filters.LZW_MAX_OUTPUT_LENGTH = 75_000_000 ```

### Summary Inserting unsanitized data into the blog tag field in Formwork CMS results in stored cross‑site scripting (XSS). Any user with credentials to the Formwork CMS who accesses or edits an affected blog post will have attacker‑controlled script executed in their browser. Because the issue is persistent and impacts privileged administrative workflows, the severity is elevated. ### Details Formwork CMS fails to properly sanitize data inserted into tags, before saving them and rendering them into the edit blog interface. When a specially crafted tag becomes saved as a tag into the system, it is unable to be removed. Any attempt to remove the tag from the affected post, causes the XSS to trigger once again. Additionally, once the malicious tag is present, managing standard tags becomes impossible. This is due to script execution on attempted modification. This leads to a form of interface lockout where the payload continually reinserts itself due to the stored, unsafe rendering....

### Impact When a Node.js application using the Sentry SDK has `sendDefaultPii: true` it is possible to inadvertently send certain sensitive HTTP headers, including the `Cookie` header, to Sentry. Those headers would be stored within the Sentry organization as part of the associated trace. A person with access to the Sentry organization could then view and use these sensitive values to impersonate or escalate their privileges within a user's application. Users may be impacted if: 1. The Sentry SDK configuration has `sendDefaultPii` set to `true` 2. The application uses one of the Node.js Sentry SDKs with version from `10.11.0` to `10.26.0` inclusively: - @sentry/astro - @sentry/aws-serverless - @sentry/bun - @sentry/google-cloud-serverless - @sentry/nestjs - @sentry/nextjs - @sentry/node - @sentry/node-core - @sentry/nuxt - @sentry/remix - @sentry/solidstart - @sentry/sveltekit Users can check if their project was affected, by visiting Explore → Traces and searching for “http.requ...