Security
Headlines
HeadlinesLatestCVEs

Tag

#intel

GHSA-cm54-pfmc-xrwx: Gitea mishandles authorization for deletion of releases

Gitea before 1.25.2 mishandles authorization for deletion of releases.

ghsa
Open in Source
#git#intel#auth
GHSA-xfq3-qj7j-4565: Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources

Gitea before 1.22.3 mishandles access to a private resource upon receiving an API token with scope limited to public resources.

GHSA-rrcw-5rjv-vj26: Gitea doesn't adequately enforce branch deletion permissions after merging a pull request.

In Gitea before 1.22.5, branch deletion permissions are not adequately enforced after merging a pull request.

GHSA-263q-5cv3-xq9g: Gitea allows attackers to add attachments with forbidden file extensions

Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.

ThreatsDay Bulletin: Stealth Loaders, AI Chatbot Flaws AI Exploits, Docker Hack, and 15 More Stories

It’s getting harder to tell where normal tech ends and malicious intent begins. Attackers are no longer just breaking in — they’re blending in, hijacking everyday tools, trusted apps, and even AI assistants. What used to feel like clear-cut “hacker stories” now looks more like a mirror of the systems we all use. This week’s findings show a pattern: precision, patience, and persuasion. The

LastPass 2022 Breach Led to Years-Long Cryptocurrency Thefts, TRM Labs Finds

The encrypted vault backups stolen from the 2022 LastPass data breach have enabled bad actors to take advantage of weak master passwords to crack them open and drain cryptocurrency assets as recently as late 2025, according to new findings from TRM Labs. The blockchain intelligence firm said evidence points to the involvement of Russian cybercriminal actors in the activity, with one of the

Nomani Investment Scam Surges 62% Using AI Deepfake Ads on Social Media

The fraudulent investment scheme known as Nomani has witnessed an increase by 62%, according to data from ESET, as campaigns distributing the threat have also expanded beyond Facebook to include other social media platforms, such as YouTube. The Slovak cybersecurity company said it blocked over 64,000 unique URLs associated with the threat this year. A majority of the detections originated from

GHSA-vww6-79rv-3j4x: Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin

Mattermost versions 11.1.x <= 11.1.0, 11.0.x <= 11.0.5, 10.12.x <= 10.12.3, 10.11.x <= 10.11.7 fail to verify that post actions invoking /share-issue-publicly were created by the Jira plugin which allowed a malicious Mattermost user to exfiltrate Jira tickets when victim users interacted with affected posts

SEC Files Charges Over $14 Million Crypto Scam Using Fake AI-Themed Investment Tips

The U.S. Securities and Exchange Commission (SEC) has filed charges against multiple companies for their alleged involvement in an elaborate cryptocurrency scam that swindled more than $14 million from retail investors. The complaint charged crypto asset trading platforms Morocoin Tech Corp., Berge Blockchain Technology Co., Ltd., and Cirkor Inc., as well as investment clubs AI Wealth Inc., Lane

NYPD Sued Over Possible Records Collected Through Muslim Spying Program

The New York Police Department's “mosque-raking” program targeted Muslim communities across NYC. Now, as the city's first Muslim mayor takes office, one man is fighting—again—to fully expose it.