#java

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files. The vulnerabilities are listed below - CVE-2025-42944 (CVSS score: 10.0) - A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious

### Summary Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. ### Details During a security evaluation of the webapp, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerabi...

Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.

A stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript through Custom Object field label. The malicious payload is stored and executed through Process Builder's Configuration tab without proper escaping.

At least 18 popular JavaScript code packages that are collectively downloaded more than two billion times each week were briefly compromised with malicious software today, after a developer involved in maintaining the projects was phished. The attack appears to have been quickly contained and was narrowly focused on stealing cryptocurrency. But experts warn that a similar attack with a slightly more nefarious payload could quickly lead to a disruptive malware outbreak that is far more difficult to detect and restrain.

Aikido Security flagged the largest npm attack ever recorded, with 18 packages like chalk, debug, and ansi-styles hacked…

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop. While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing

GhostAction supply chain attack hit 817 GitHub repositories, stealing 3,325 secrets including npm, PyPI, and DockerHub tokens.

### Impact When establishing a TLS session using `fs2-io` on the JVM using the `fs2.io.net.tls` package, if one side of the connection shuts down write while the peer side is awaiting more data to progress the TLS handshake, the peer side will spin loop on the socket read, fully utilizing a CPU. This CPU is consumed until the overall connection is closed. This could be used as a denial of service attack on an fs2-io powered server -- for example, by opening many connections and putting them in a half-shutdown state. Note: this issue impacts ember backed http4s servers with HTTPS as a result of ember using fs2's TLS support. ### Patches Fixed in fs2 3.12.2 and 3.13.0-M7. ### Workarounds No workarounds. ### For more information If you have any questions or comments about this advisory: [Open an issue.](https://github.com/typelevel/fs2/issues/new/choose) Contact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system. The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a