#git

Over 387,000 users downloaded vulnerable Apache Struts versions this week. Exclusive Sonatype research reveals a high-risk flaw found by AI. Is your system at risk?

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.

Microsoft on Wednesday announced that it has taken a "coordinated legal action" in the U.S. and the U.K. to disrupt a cybercrime subscription service called RedVDS that has allegedly fueled millions in fraud losses. The effort, per the tech giant, is part of a broader law enforcement effort in collaboration with law enforcement authorities that has allowed it to confiscate the malicious

### Impact Versions of the Algolia Search & Discovery extension for Magento 2 prior to **3.17.2** and **3.16.2** contain a vulnerability where data read from the database was treated as a trusted source during job execution. If an attacker is able to modify records used by the extension’s indexing queue, this could result in **arbitrary PHP code execution** when the affected job is processed. Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled. --- ### Patches This vulnerability has been fixed in the following versions: - **3.17.2** - **3.16.2** Merchants should upgrade to a supported patched version immediately. Versions outside the supported maintenance window do **not** receive security updates and remain vulnerable. --- ### Workarounds Upgrading to a patched version is the only recommended remediation. If an immediate upgrade is not possible, the following temporary risk mitigations may reduce expos...

### Impact Attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Othe...

### Summary The `RedirectSlashes` function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability. ### Details The `RedirectSlashes` function performs a `Trim` to all forward slash (`/`) characters, while prepending a single one at the begining of the path (Line 52). However, it does not trim backslashes (`\`). ```go File: middleware/strip.go 41: func RedirectSlashes(next http.Handler) http.Handler { ... 51: // Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//") 52: path = "/" + strings.Trim(path, "/") ... 62: } ``` Also, from version 5.2.2 onwards the `RedirectSlashes` function does not take into consideration the `Host` Header in the redirect response returned. This was done in order to combat another [[vulnerability](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93)](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93). The above make it possible for a ...

### Summary An **incomplete SQL injection patch** in the Admin Search Find API allows an authenticated attacker to perform **blind SQL injection**. Although CVE-2023-30848 attempted to mitigate SQL injection by removing SQL comments (--) and catching syntax errors, the fix is insufficient. Attackers can still inject SQL payloads that do not rely on comments and infer database information via blind techniques. This vulnerability affects the admin interface and can lead to **database information disclosure**. ### Details The vulnerability exists in the Admin Search Find API endpoint: ``` /admin/search/search/find ``` In CVE-2023-30848, the following patch was applied: - SQL comments are removed by replacing `--` - SQL syntax errors are caught and replaced with a generic exception Relevant commit: https://github.com/pimcore/pimcore/commit/25ad8674886f2b938243cbe13e33e204a2e35cc3 Key changes include: ``` // remove sql comments $fields = str_replace('--', '', $fields); try { $hit...

### Impact The `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor. However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. ### Patches Upgrade to 7.18.2 or 6.23.0. ### Workarounds It is possible to apply an undici interceptor and filter long `Content-Encoding` sequences manually. ### References * https://hackerone.com/reports/3456148 * https://github.com/advisories/GHSA-gm62-xv2j-4w53 * https://curl.se/docs/CVE-2022-32206.html

The Black Lotus Labs team at Lumen Technologies said it null-routed traffic to more than 550 command-and-control (C2) nodes associated with the AISURU/Kimwolf botnet since early October 2025. AISURU and its Android counterpart, Kimwolf, have emerged as some of the biggest botnets in recent times, capable of directing enslaved devices to participate in distributed denial-of-service (DDoS)

Researchers have discovered VoidLink, a sophisticated new Linux malware framework designed to infiltrate AWS, Google Cloud, and Azure. Learn how this Chinese-affiliated toolkit uses adaptive stealth to stay hidden.