#git

### Impact Since [v2.0.25](https://github.com/miniflux/v2/releases/tag/2.0.25), Miniflux will automatically [proxy](https://miniflux.app/docs/configuration.html#proxy-images) images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the `html.ServerError` is [returned](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L76) unescaped without the expected Content Security Policy [header](https://github.com/miniflux/v2/blob/b2fd84e0d376a3af6329b9bb2e772ce38a25c31c/ui/proxy.go#L90) added to valid responses. By creating an RSS feed item with the inline description containing an `<img>` tag with a `srcset` attribute pointing to an invalid URL like `http:a<script>alert(1)</script>`, we can coerce the proxy handler into an error condition where the invalid URL is returned unescaped and in full. This results in JavaScript execution on the Miniflux instance as soon as the user is convinced (e.g. ...

Jenkins Templating Engine Plugin allows defining libraries both in the global configuration, as well as scoped to folders containing the pipelines using them. While libraries in the global configuration can only be set up by administrators and can therefore be trusted, libraries defined in folders can be configured by users with Item/Configure permission. In Templating Engine Plugin 2.5.3 and earlier, libraries defined in folders are not subject to sandbox protection. This vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. In Templating Engine Plugin 2.5.4, libraries defined in folders are subject to sandbox protection.

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

Jenkins AsakusaSatellite Plugin 0.1.1 and earlier stores AsakusaSatellite API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them. As of publication of this advisory, there is no fix.

China-linked APT group FamousSparrow hits targets in the Americas using upgraded SparrowDoor malware in new cyberespionage campaign, ESET reports.

### Summary `image-size` is vulnerable to a Denial of Service vulnerability when processing specially crafted images. The issue occurs because of an infine loop in `findBox` when processing certain images with a box with size `0`. ### Details If the first bytes of the input does not match any bytes in `firstBytes`, then the package tries to validate the image using other handlers: ```js // https://github.com/image-size/image-size/blob/v1.2.0/lib/detector.ts#L20-L31 export function detector(input: Uint8Array): imageType | undefined { const byte = input[0] if (byte in firstBytes) { const type = firstBytes[byte] if (type && typeHandlers[type].validate(input)) { return type } } const finder = (key: imageType) => typeHandlers[key].validate(input) //<-- return keys.find(finder) } ``` Some handlers that call `findBox` to validate or calculate the image size are `jxl`, `heif` and `jp2`. `JXL` handler calls `findBox` inside `validate`. To reach the `findBox` ...

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability. Apache Tomcat is an open-source software that provides a platform for Java web applications. The vulnerability allows a remote attacker to upload and execute arbitrary files on the server due to flaws in the handling of uploaded session files and the deserialization mechanism. 🔻 The vendor’s […]

A critical vulnerability (CVE-2025-1268) in Canon printer drivers allows remote code execution. See which drivers are affected, how to patch them.

Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems. "Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls)," Zscaler ThreatLabz researcher Muhammed Irfan V A said in

### Summary The PROXY command is accepted multiple times, allowing a client to spoof its IP address when the proxy protocol is being used. ### Details When ProxyOn is enabled, [it looks like the PROXY command will be accepted multiple times](https://github.com/phires/go-guerrilla/blob/fca3b2d8957a746997c7e71fca39004f5c96e91f/server.go#L495), with later invocations overriding earlier ones. The proxy protocol only supports one initial PROXY header; anything after that is considered part of the exchange between client and server, so the client is free to send further PROXY commands with whatever data it pleases. go-guerrilla will treat these as coming from the reverse proxy, allowing a client to spoof its IP address. Note that the format of the PROXY header is [well-defined](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). It probably shouldn't be treated as an SMTP command; parsing it the same way is likely to result in odd behavior and could lead to other vulnerabili...