#vulnerability

### Impact Multi-translation download could write to an arbitrary location when instructed by a crafted server. ### Patches * https://github.com/WeblateOrg/wlc/pull/1128 ### Workarounds Do not use `wlc download` with untrusted servers. ### References This issue was reported to us by [wh1zee](https://hackerone.com/wh1zee) via HackerOne.

### Impact When [Jupyter Lab](https://jupyterlab.readthedocs.io/en/latest/), [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and [Dask distributed](https://github.com/dask/distributed) are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard. It is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel. In order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy)) and a Dask distributed cluster on the default port. Then they would need to click the link which would execut...

A supply chain vulnerability in AWS CodeBuild recently put the entire AWS Console at risk. Learn how Wiz Research found the flaw and how Amazon responded to prevent a global security crisis.

### Summary A prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched `.bat` or `.cmd`. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example `.BAT, .Bat`, etc.). ### POC ```javascript const command = new Deno.Command('./test.BAT', { args: ['&calc.exe'], }); const child = command.spawn(); ``` This causes `calc.exe` to be launched; see the attached screenshot for evidence. **Patched in `CVE-2025-61787` — prevents execution of `.bat` and `.cmd` files:**  **Bypass of the patched vulnerability:**  ### Impact The script launches calc.exe on Windows, demonstrating that passing user-controlled argument...

### Summary The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. ### PoC ```js import crypto from "node:crypto"; const key = crypto.randomBytes(32); const iv = crypto.randomBytes(16); const cipher = crypto.createCipheriv("aes-256-cbc", key, iv); cipher.final() console.log(cipher); ``` ### Expected Output ```js Cipheriv { _decoder: null, _options: undefined, Symbol(kHandle): CipherBase {} } ``` ### Actual Output ```js Cipheriv { _events: { close: undefined, error: undefined, prefinish: [Function: prefinish], finish: undefined, drain: undefined, data: undefined, end: undefined, readable: undefined }, _readableState: ReadableState { highWaterMark: 65536, buffer: [], bufferIndex: 0, length: 0, pipes: [], awaitDrainWriters: null, [Symbol(kState)]: 1048844 }, _writableStat...

Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).

Researchers demonstrated WhisperPair, a set of attacks that can take control of many widely used Bluetooth earbuds and headphones without user interaction.

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An authenticated local attacker can disable or enable Windows VBS without administrative privileges, resulting in bypass of platform security hardening. This does not grant direct code execution as another user but weakens system security guarantees, enabling follow‑on attacks.

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837, assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region.