Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Meta Expands WhatsApp Security Research with New Proxy Tool and $4M in Bounties This Year

Meta on Tuesday said it has made available a tool called WhatsApp Research Proxy to some of its long-time bug bounty researchers to help improve the program and more effectively research the messaging platform's network protocol. The idea is to make it easier to delve into WhatsApp-specific technologies as the application continues to be a lucrative attack surface for state-sponsored actors and

The Hacker News
Open in Source
#vulnerability#ios#mac#google#git#auth#sap#The Hacker News
Researchers Detail Tuoni C2's Role in an Attempted 2025 Real-Estate Cyber Intrusion

Cybersecurity researchers have disclosed details of a cyber attack targeting a major U.S.-based real-estate company that involved the use of a nascent command-and-control (C2) and red teaming framework known as Tuoni. "The campaign leveraged the emerging Tuoni C2 framework, a relatively new, command-and-control (C2) tool (with a free license) that delivers stealthy, in-memory payloads,"

Why it matters when your online order is drop-shipped

Those too-good-to-be-true online deals often come from drop-shipping sellers, and that can leave you holding all the risk.

Beyond IAM Silos: Why the Identity Security Fabric is Essential for Securing AI and Non-Human Identities

Identity security fabric (ISF) is a unified architectural framework that brings together disparate identity capabilities. Through ISF, identity governance and administration (IGA), access management (AM), privileged access management (PAM), and identity threat detection and response (ITDR) are all integrated into a single, cohesive control plane. Building on Gartner’s definition of “identity

Seven npm Packages Use Adspect Cloaking to Trick Victims Into Crypto Scam Pages

Cybersecurity researchers have discovered a set of seven npm packages published by a single threat actor that leverages a cloaking service called Adspect to differentiate between real victims and security researchers to ultimately redirect them to sketchy crypto-themed sites. The malicious npm packages, published by a threat actor named "dino_reborn" between September and November 2025, are

Microsoft Azure Blocks 15.72 Tbps Aisuru Botnet DDoS Attack

Microsoft Azure halted a record 15.72 Tbps DDoS attack from the Aisuru botnet exposing risks created by exposed home devices exploited in large-scale cyber attacks.

Enhance workload security with confidential containers on Azure Red Hat OpenShift

As organizations continue to accelerate digital transformation in the cloud, customers are looking for ways to enhance safeguards for sensitive workloads, especially those in highly regulated industries. As such, confidential computing has become an increasingly prominent way to protect workloads by providing an isolated, hardware-encrypted environment based on a zero-trust security model. To help address this need, we are pleased to announce the general availability of confidential containers on Microsoft Azure Red Hat OpenShift, expected to be delivered in the coming weeks. This feature give

Alice Blue Partners with AccuKnox for Regulatory Compliance

Menlo Park, CA, November 17th, 2025, CyberNewsWire.

GHSA-v5w9-prxf-w882: Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)

### Summary An unauthenticated attacker can exploit the unprotected registration endpoint (/register) to create a new user and bypass authentication. ### Details Critical vulnerability in Flowise 3.0.1 on-premise deployment allows unauthenticated attackers to exploit the /api/v1/account/register endpoint to add a new user and log in using it, enabling authentication bypass. Meaning that the register functionality is by default open, allowing attackers to create an account and use the api without any restrictions or credentials. ### PoC A Flowise 3.0.1 instance was deployed via Docker for the purpose of this demonstration. ![1 Docker](https://github.com/user-attachments/assets/fb0b8627-63e3-4523-881f-a0ff6352b678) After successful deployment the instance setup organization page allows us to register the first account in the system. ![1 newly deployed instance](https://github.com/user-attachments/assets/39d56738-eb97-469e-b96e-61cd7cec64a8) Creating the first user [research@evasec.io...

GHSA-7xvh-c266-cfr5: @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message

### Description Since version 4.12.0, Dependency-Track users with the `SYSTEM_CONFIGURATION` permission can configure a "welcome message", which is HTML that is to be rendered on the login page for branding purposes. When rendering the welcome message, Dependency-Track versions before 4.13.6 did not properly sanitize the HTML, allowing arbitrary JavaScript to be executed. ### Impact Users with the `SYSTEM_CONFIGURATION` permission (i.e., administrators), can exploit this weakness to execute arbitrary JavaScript for users browsing to the login page. ### Patches The issue has been fixed in version 4.13.6. ### References * The issue was introduced via: https://github.com/DependencyTrack/frontend/pull/986 * The issue was fixed via: https://github.com/DependencyTrack/frontend/pull/1378 ### Credit Thanks to *Jonas Benjamin Friedli* for identifying and responsibly disclosing the issue.