#java

### Impact Anyone using untrusted message components may be affected. On versions >=6.0.0,<6.1.3 of JDA, the requester will attempt to download external media URLs from components if they are used in an update or send request. If you are used `Message#getComponents` or similar to get a list of components and then send those components with `sendMessageComponents` or other methods, you might unintentionally download media from an external URL in the resolved media of a `Thumbnail`, `FileDisplay`, or `MediaGallery`. ### Patches This bug has been fixed in 6.1.3, and we recommend updating. ### Workarounds Avoid sending components from untrusted messages or update to version 6.1.3.

### Summary A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a `post_logout_redirect`. When this parameter is specified, users will be redirected to the site that is provided via this parameter. ZITADEL's login UI did not ensure that this parameter contained an allowed value and even executed passed scripts. ### Impact Zitadel is vulnerable to a DOM-Based XSS vulnerability. More specifically, the /logout endpoint insecurely routed to value that is supplied in the post_logout_redirect GET parameter. As a result, malicious JS code could be executed on Zitadel users’ browsers, in the Zitadel V2 Login domain. An unauthenticated remote attacker can exploit this DOM-based XSS vulnerability, and thus, execute malicious JavaScript code on behalf of Zitadel users. By doing so, such an attacker could reset the password of their victims, and take over their accounts. Note that for this to work, multiple user sessions...

## Summary Arbitrary Remote Code Execution on development server via unsafe dynamic imports in `@vitejs/plugin-rsc` server function APIs (`loadServerAction`, `decodeReply`, `decodeAction`) when integrated into RSC applications that expose server function endpoints. ## Impact Attackers with network access to the development server can execute arbitrary JavaScript code with Node.js privileges, allowing them to read/modify files, exfiltrate sensitive data (source code, environment variables, credentials), or pivot to other internal services. While this affects development servers only, the risk increases when using `vite --host` to expose the server on all network interfaces. ## Details In the example RSC application provided in Proof of Concept, the server handles server function call through API such as `loadServerAction`, `decodeReply`, `decodeAction` with http request's header and body as inputs: https://github.com/vitejs/vite-plugin-react/blob/c8af971f57f12d0190d7fd8829a429f5e...

### Summary A Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag. ### Details The vulnerability is located in `nicegui/elements/interactive_image.js`. The component uses the following code to render content: ```javascript <g v-html="content"></g> ``` Vue's v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a <foreignObject> tag containing malicious scripts, bypassing typical image restrictions. ### PoC ```python from nicegui import ui @ui.page('/') def main(): ui.label('NiceGUI SVG XSS PoC') # Standard image loading img = ui.interactive_image('[https://picsum.photos/640/360](https:...

### Summary A Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier). These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `<style>` or `<script>` tags by injecting closing tags (e.g., `</style>` or `</script>`), allowing for the execution of arbitrary JavaScript. ### Details The vulnerability stems from how these functions inject content into the DOM using `client.run_javascript` (or `add_head_html` internally) without sufficient escaping for the transport layer. * **`ui.add_css`**: Injects content into a `<style>` tag. Input containing `</style>` closes the tag prematurely, allowing subsequent HTML/JS injection. * **`ui.add_scss` / `ui.add_sass`**: These rely on client-side compilation within `<script>` tags. Input containing `</script>` breaks the execut...

Securonix Threat Research details the complex JS#SMUGGLER campaign, a three-step web attack using obfuscated JavaScript and hidden HTA files to install the NetSupport RAT on user Windows desktops, granting hackers full remote control and persistent access.

Cybersecurity researchers are calling attention to a new campaign dubbed JS#SMUGGLER that has been observed leveraging compromised websites as a distribution vector for a remote access trojan named NetSupport RAT. The attack chain, analyzed by Securonix, involves three main moving parts: An obfuscated JavaScript loader injected into a website, an HTML Application (HTA) that runs encrypted

We found a campaign that hosts fake login pages on Cloudflare Pages and sends the stolen info straight to Telegram.

### Summary Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are *not* affected. ### Details During the decompression process, the lz4 algorithm may have to repeat data that was previously decompressed in the same input frame. In the Java implementation, this is implemented by copy operations within the output buffer. With a crafted input, an attacker may induce the Java implementation to copy from a region in the output buffer that does not contain decompressed data yet. If that region contains sensitive information because the output buffer was not cleared prior to decompression, that data will then be copied to the decompressed output. - `LZ4Factory.nativeInstance().safeDecompresso...

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack. The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity. "Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an