Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-2gxp-6r36-m97r: Cadwyn vulnerable to XSS on the docs page

### Summary The `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. ### PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27 ### Impact Refer to this [security advisory](https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v) for an example of the impact of a similar vulnerability that shares the same root cause. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on `Cadwyn` via a one-click attack. A CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L ### Details The vulnerable code snippet can be found in the 2 functions `swagger_dashboard` and `redoc_dashboard`: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413 The implementation...

ghsa
Open in Source
#xss#vulnerability#js#git#java#oauth#auth
“Ring cameras hacked”? Amazon says no, users not so sure

Ring users on TikTok, Reddit, and X are reporting multiple unauthorized device logins all dating back to May 28.

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability

About Remote Code Execution – Internet Shortcut Files (CVE-2025-33053) vulnerability. A vulnerability from the June Microsoft Patch Tuesday. This vulnerability immediately showed signs of exploitation in the wild. This flaw allows a remote attacker to execute arbitrary code when a victim opens a specially crafted .url file, delivered, for example, through a phishing attack. 🔹 The […]

About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability

About Remote Code Execution – Roundcube (CVE-2025-49113) vulnerability. Roundcube is a popular open-source webmail client (IMAP). An authenticated attacker can exploit this vulnerability to execute arbitrary code on the Roundcube Webmail server. The issue is caused by the Deserialization of Untrusted Data (CWE-502). 🔹 On June 1, the vendor released patched versions 1.6.11 and 1.5.10. […]

SquidLoader Malware Campaign Hits Hong Kong Financial Firms

Trellix exposes SquidLoader malware targeting Hong Kong, Singapore, and Australia's financial service institutions. Learn about its advanced evasion tactics and stealthy attacks.

Chinese Groups Launder $580M in India Using Fake Apps and Mule Accounts

CloudSEK’s new report uncovers how Chinese cyber syndicates are laundering over $600 million annually in India. Learn about…

Malware Injected into 6 npm Packages After Maintainer Tokens Stolen in Phishing Attack

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers' npm tokens. The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories. The list of affected

GHSA-f29h-pxvx-f335: eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.

At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds

Of those, more than 200 appear to have had outages of services related to patient care following CrowdStrike’s disastrous crash, researchers have revealed.

China’s Salt Typhoon Hackers Breached the US National Guard for Nearly a Year

Plus: Secret IRS data-sharing with ICE, a 20-year-old hackable vulnerability in train brakes, and more.