Security
Headlines
HeadlinesLatestCVEs

Tag

#intel

GHSA-8hmm-4crw-vm2c: @musistudio/claude-code-router has improper CORS configuration

### Impact Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could exploit this misconfiguration to steal credentials, abuse accounts, exhaust quotas, or access sensitive data. ### Patches The issue has been patched in v1.0.34.

ghsa
Open in Source
#vulnerability#web#nodejs#git#intel
GHSA-79j6-g2m3-jgfw: vLLM has remote code execution vulnerability in the tool call parser for Qwen3-Coder

### Summary An unsafe deserialization vulnerability allows any authenticated user to execute arbitrary code on the server if they are able to get the model to pass the code as an argument to a tool call. ### Details vLLM's [Qwen3 Coder tool parser](https://github.com/vllm-project/vllm/blob/main/vllm/entrypoints/openai/tool_parsers/qwen3coder_tool_parser.py) contains a code execution path that uses Python's `eval()` function to parse tool call parameters. This occurs during the parameter conversion process when the parser attempts to handle unknown data types. This code path is reached when: 1. Tool calling is enabled (`--enable-auto-tool-choice`) 2. The qwen3_coder parser is specified (`--tool-call-parser qwen3_coder`) 3. The parameter type is not explicitly defined or recognized ### Impact Remote Code Execution via Python's `eval()` function.

Google settles YouTube lawsuit over kids’ privacy invasion and data collection

Google has settled a lawsuit against YouTube for $30 million but did not admit collecting the data of minors for targeted advertising.

GHSA-3j63-5h8p-gf7c: x402 SDK vulnerable in outdated versions in resource servers for builders

### Impact There is a security vulnerability in outdated versions of the x402 SDK. This does not directly affect users' keys, smart contracts, or funds. This primarily impacts builders working on resource servers. ### Patches Please update to the following package versions: * x402 >= 0.5.2 * x402-next >= 0.5.2 * x402-express >= 0.5.2 * x402-hono >= 0.5.2

Russian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability

FBI and Cisco warn Russian hackers are exploiting a 7-year-old Cisco Smart Install vulnerability on outdated routers and…

Incode Acquires AuthenticID to Enhance AI-Driven Identity Verification

The combination of Incode's AI models and AuthenticID's experience running identity programs at scale in regulated environments will provide customers with holistic fraud signal analysis, multi-modal intelligence, real-time personhood verification, and advanced deepfake detection.

New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and…

Experts Find AI Browsers Can Be Tricked by PromptFix Exploit to Run Malicious Hidden Prompts

Cybersecurity researchers have demonstrated a new prompt injection technique called PromptFix that tricks a generative artificial intelligence (GenAI) model into carrying out intended actions by embedding the malicious instruction inside a fake CAPTCHA check on a web page. Described by Guardio Labs an "AI-era take on the ClickFix scam," the attack technique demonstrates how AI-driven browsers,

Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices

A Russian state-sponsored group, Static Tundra, is exploiting an old Cisco IOS vulnerability to compromise unpatched network devices worldwide, targeting key sectors for intelligence gathering.

Agentic AI, Apple Intelligence, EV Chargers: Everyday Cybersecurity Peril Abounds for Businesses

Cybersecurity risks can come from everywhere, as these riveting Dark Reading News Desk videos detail. Check out Part 1 of our broadcast coverage of the top research presented at Black Hat USA 2025.