Security
Headlines
HeadlinesLatestCVEs

Tag

#java

North Korea-Linked Hackers Target Developers via Malicious VS Code Projects

The North Korean threat actors associated with the long-running Contagious Interview campaign have been observed using malicious Microsoft Visual Studio Code (VS Code) projects as lures to deliver a backdoor on compromised endpoints. The latest finding demonstrates continued evolution of the new tactic that was first discovered in December 2025, Jamf Threat Labs said. "This activity involved

The Hacker News
Open in Source
#web#mac#apple#google#microsoft#nodejs#js#git#java#intel#backdoor#rce#auth#bitbucket#The Hacker News
GHSA-r8w2-w357-9pjv: XDocReport affected by a Server-Side Template Injection (SSTI) vulnerability

A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions.

GHSA-7jc7-g598-2p64: XDocReport affected by an XML External Entity (XXE) vulnerability

An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.

GHSA-4gpc-rhpj-9443: Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

### Summary A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. ### Details The vulnerability exists in the `Renderer` component responsible for rendering Mermaid diagrams within chat artifacts. ```TypeScript case 'application/lobe.artifacts.mermaid': { return <Mermaid variant={'borderless'}>{content}</Mermaid>; } ``` The `content` variable, which is derived from user or AI-generated messages, is passed directly to the `<Mermaid>` component without any sanitization. The Mermaid library renders HTML labels (e.g., nodes defined with ["..."]) directly into the DOM. If the content contains malicious HTML tags (like <img onerror=...>), they are executed. In the Desktop version, the application...

GHSA-g6q3-96cp-5r5m: @fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)

### Summary A security vulnerability exists in `@fastify/express` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. ### Details The vulnerability is caused by how `@fastify/express` matches requests against registered middleware paths. ### PoC **Step 1:** Run the following Fastify application (save as `app.js`): ```javascript const fastify = require('fastify')({ logger: true }); async function start() { // Register fastify-express for Express-style middleware support await fastify.register(require('@fastify/express')); // Middleware to block /admin route fastify.use('/admin', (req, res, next) => { res.statusCode = 403; res.end...

GHSA-cxrg-g7r8-w69p: Fastify Middie Middleware Path Bypass

### Summary A security vulnerability exists in `@fastify/middie` where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. ### Details The vulnerability is caused by how `middie` matches requests against registered middleware paths. 1. **Regex Generation**: When [fastify.use('/admin', ...)](cci:1://file:///Users/harshjaiswal/work/research/nest/packages/platform-fastify/adapters/fastify-adapter.ts:733:2-741:3) is called, `middie` uses `path-to-regexp` to generate a regular expression for the path `/admin`. 2. **Request Matching**: For every request, `middie` executes this regular expression against `req.url` (or `req.originalUrl`). 3. **The Flaw**: `r...

Hackathon Projects Show AI Wellness Apps Can Leak Sensitive User Info

As emotional computing applications proliferate, the security threats they face require frameworks beyond traditional approaches.

Why Secrets in JavaScript Bundles are Still Being Missed

Leaked API keys are no longer unusual, nor are the breaches that follow. So why are sensitive tokens still being so easily exposed? To find out, Intruder’s research team looked at what traditional vulnerability scanners actually cover and built a new secrets detection method to address gaps in existing approaches.  Applying this at scale by scanning 5 million applications revealed over

⚡ Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More

In cybersecurity, the line between a normal update and a serious incident keeps getting thinner. Systems that once felt reliable are now under pressure from constant change. New AI tools, connected devices, and automated systems quietly create more ways in, often faster than security teams can react. This week’s stories show how easily a small mistake or hidden service can turn into a real

Firefox joins Chrome and Edge as sleeper extensions spy on users

Researchers found more sleeper browser extensions that spy on users and install backdoors, this time targeting Firefox users as well.