#java

A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in

When an application passed an attacker controlled float poing number into the `toFixed()` function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: `NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult` where `pow5mult` attempts to raise `5` to a ridiculous power. Example code: `(4.47118444E-314).toFixed(2)`

### Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. ### Workaround If the standard CSP rules are active (default in production mode), an exploit isn't possible. ### Credits Lwin Min Oo <lwinminoo2244@gmail.com>

Your antivirus scans files. But what about attacks that never create files? Here's how we catch the threats hiding on your family's computers.

After seven years of acting like normal add-ons, five popular Chrome and Edge extensions with millions of installs suddenly turned malicious.

North Korean hackers escalated the "Contagious Interview" attack, flooding the npm registry with over 200 malicious packages to install OtterCookie malware. This attack targets blockchain and Web3 developers through fake job interviews and coding tests.

A Stored Cross-Site Scripting (XSS) vulnerability in Calibre-Web v0.6.25 allows attackers to inject malicious JavaScript into the 'username' field during user creation. The payload is stored unsanitized and later executed when the /ajax/listusers endpoint is accessed.

The supply chain campaign known as GlassWorm has once again reared its head, infiltrating both Microsoft Visual Studio Marketplace and Open VSX with 24 extensions impersonating popular developer tools and frameworks like Flutter, React, Tailwind, Vim, and Vue. GlassWorm was first documented in October 2025, detailing its use of the Solana blockchain for command-and-control (C2) and harvest npm,

Google’s December update fixes two Android bugs that criminals are actively exploiting. Update as soon as you can.

## Summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `/admin/pages/[page]` endpoint of the _Grav_ application. This vulnerability allows attackers to inject malicious scripts into the `data[header][template]` parameter. The script is saved within the page's frontmatter and executed automatically whenever the affected content is rendered in the administrative interface or frontend view. --- ## Details **Vulnerable Endpoint:** `POST /admin/pages/[page]` **Parameter:** `data[header][template]` The application fails to properly sanitize user input in the `data[header][template]` field, which is stored in the YAML frontmatter of the page. An attacker can inject JavaScript code using this field, and the payload is rendered and executed when the page is accessed, especially within the Admin Panel interface. --- ## PoC **Payload:** `<script>alert('PoC-XXS73')</script>` ### Steps to Reproduce: 1. Log in to the _Grav_ Admin Panel and navigate to **Pages...