Security
Headlines
HeadlinesLatestCVEs

Tag

#sql

The Rising Threat of API Attacks: How to Secure Your APIs in 2025

API attacks are constantly on the rise, with a recent alarming study showing that 59% of organizations give…

HackRead
Open in Source
#sql#xss#vulnerability#web#dos#git#auth
GHSA-qjpx-5m2p-5pgh: Pimcore Vulnerable to SQL Injection in getRelationFilterCondition

### Summary Authenticated users can craft a filter string used to cause a SQL injection. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ This code does not look to sanitize inputs: https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47 c.f. with https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347 ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact _What kind of vulnerability is it? Who is impacted?_

GHOSTR Hacker Linked to 90+ Data Breaches Arrested

A hacker using the alias GHOSTR, linked to 90+ data breaches, was arrested in a joint effort by law enforcement in Thailand, Singapore, and cybersecurity firm Group-IB.

February Linux Patch Wednesday

February Linux Patch Wednesday. There are 561 vulnerabilities in total. 338 in Linux Kernel. Formally, there is one vulnerability with a sign of exploitation in the wild: RCE – 7-Zip (CVE-2025-0411). But it is about Windows MoTW and, naturally, is not exploitable on Linux. There are public exploits for 21 vulnerabilities. Among them there are […]

GHSA-rg56-94j7-hjx9: Moodle has a SQL injection risk in course search module list filter

An SQL injection risk was identified in the module list filter within course search.

GHSA-v4q9-437p-mhpg: Leantime allows Cross Site Scripting (XSS) and SQL Injection (SQLi)

### Summary A cross-site scripting (XSS) vulnerability has been identified in Leantime. The vulnerability allows an attacker to inject malicious scripts into certain fields, potentially leading to the execution of arbitrary code or unauthorized access to user-sensitive information. The code does not include any validation or sanitization of the $_GET["id"] parameter. As a result, it directly incorporates the user-supplied value into the source path without any checks.

China-Linked Threat Group Targets Japanese Orgs' Servers

Winnti once used a variety of malware but is now focused on SQL vulnerabilities and obfuscation, updated encryption, and new evasion methods to gain access.

PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks

Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7. The vulnerability, tracked as CVE-2025-1094 (CVSS score: 8.1), affects the PostgreSQL interactive tool psql. "An

XE Group Shifts From Card Skimming to Supply Chain Attacks

The likely Vietnam-based threat actor has been using two zero-days in VeraCore's warehouse management software in some of its latest cyberattacks.

Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in information disclosure under certain conditions. The vulnerability, tracked as CVE-2025-25064, carries a CVSS score of 9.8 out of a maximum of 10.0. It has been described as an SQL injection bug in the ZimbraSync Service SOAP endpoint affecting