Tag
#rce
SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects
The security landscape now moves at a pace no patch cycle can match. Attackers aren’t waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow’s breach. This week’s recap explores the trends driving that constant churn: how threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization's network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM). "Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,"
### Summary We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability. ### Vulnerability Details **XSS via SVG Rendering** In lobe-chat, when the response from the server is like `<lobeArtifact identifier="ai-new-interpretation" ...>` , it will be rendered with the `lobeArtifact` node, instead of the plain text. https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/rehypePlugin.ts#L50-L68 https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/index.ts#L7-L11 https://github...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Asset Suite Vulnerabilities: Server-Side Request Forgery (SSRF), Deserialization of Untrusted Data, Cleartext Storage of Sensitive Information, Uncontrolled Resource Consumption, URL Redirection to Untrusted Site ('Open Redirect'), Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to trigger resource consumption or information disclosure through SSRF in Apache XML Graphics Batik, mount a Denial-Of-Service attack via poisoned data in logback, discover cleartext passwords in H2 Database Engine, fill up the file system in Apache CXF, perform open redirect or SSRF attacks through UriComponentsBuilder, and execute arbitrary code in Apache ActiveMQ. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Asset Suite: Versions 9.6.4.5 and prior 3.2 VULN...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Service Suite Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to compromise Oracle WebLogic Server, resulting in potential impacts on confidentiality, integrity, and availability. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Service Suite: Versions prior to 9.6.0.4 EP4 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVE-2020-2883 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N...
### Impact A peer exposes the gRPC API and HTTP API for consumption by other peers. These APIs allow peers to send requests that force the recipient peer to create files in arbitrary file system locations, and to read arbitrary files. This allows peers to steal other peers’ secret data and to gain remote code execution (RCE) capabilities on the peer’s machine. ```golang file, err := os.OpenFile(t.DataFilePath, os.O_RDWR, defaultFileMode) if err != nil { return 0, err } defer file.Close() if _, err = file.Seek(req.Range.Start, io.SeekStart); err != nil { return 0, err } n, err := io.Copy(file, io.LimitReader(req.Reader, req.Range.Length)) ``` ### Patches - Dragonfy v2.1.0 and above. ### Workarounds There are no effective workarounds, beyond upgrading. ### References A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf). If ...
### Summary jinjava’s current sandbox restrictions prevent direct access to dangerous methods such as `getClass()`, and block instantiation of Class objects. However, these protections can be bypassed. By using mapper.getTypeFactory().constructFromCanonical(), it is possible to instruct the underlying ObjectMapper to deserialize attacker-controlled input into arbitrary classes. This enables the creation of semi-arbitrary class instances without directly invoking restricted methods or class literals. As a result, an attacker can escape the sandbox and instantiate classes such as java.net.URL, opening up the ability to access local files and URLs(e.g., file:///etc/passwd). With further chaining, this primitive can potentially lead to remote code execution (RCE). ### Details jinjava templates expose a built-in variable `____int3rpr3t3r____`, which provides direct access to the jinjavaInterpreter instance. This variable was previously abused (see [Add interpreter to blacklist](https:/...
## Summary A path-traversal flaw in the handling of the `X-Zone-Id` HTTP header allows an attacker to cause the application to write files outside the intended storage location. The header value is used to build a filesystem path but is not properly canonicalized or restricted to the application’s storage base directory. As a result, supplying `../` sequences in `X-Zone-Id` causes files to be written to arbitrary directories (example observed: `~/.esmd/modules/transform/<id>/` instead of `~/.esmd/storage/modules/transform`). **Severity:** Medium **Component / Endpoint:** `POST /transform` — handling of `X-Zone-Id` header The vulnerable code is in https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L116 and https://github.com/esm-dev/esm.sh/blob/main/server/router.go#L411 **Impact:** Arbitrary file creation / overwrite outside intended storage directory (file write to attacker-controlled path). Possible remote code execution, persistence, tampering with application file...
The threat actor known as TA558 has been attributed to a fresh set of attacks delivering various remote access trojans (RATs) like Venom RAT to breach hotels in Brazil and Spanish-speaking markets. Russian cybersecurity vendor Kaspersky is tracking the activity, observed in summer 2025, to a cluster it tracks as RevengeHotels. "The threat actors continue to employ phishing emails with invoice