#vulnerability

### Summary DPanel has an arbitrary file deletion vulnerability in the `/api/common/attach/delete` interface. Authenticated users can delete arbitrary files on the server via path traversal. ### Details When a user logs into the administrative backend, this interface can be used to delete files. The vulnerability lies in the `Delete` function within the `app/common/http/controller/attach.go` file. The `path` parameter submitted by the user is directly passed to `storage.Local{}.GetSaveRealPath` and subsequently to `os.Remove` without proper sanitization or checking for path traversal characters (`../`). The vulnerable code snippet: <img width="487" height="363" alt="image" src="https://github.com/user-attachments/assets/b811de6f-1df1-49f3-af78-ea77bc420804" /> And the helper function in `common/service/storage/local.go` uses `filepath.Join`, which resolves `../` but does not enforce a chroot/jail: <img width="564" height="66" alt="image" src="https://github.com/user-attachments/as...

New York, United States, 15th January 2026, CyberNewsWire

Allocation of Resources Without Limits or Throttling in the HDF5 weight loading component in Google Keras 3.0.0 through 3.13.0 on all platforms allows a remote attacker to cause a Denial of Service (DoS) through memory exhaustion and a crash of the Python interpreter via a crafted .keras archive containing a valid model.weights.h5 file whose dataset declares an extremely large shape.

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2. The plugin

MITRE loses its lead as the top reporter of vulnerabilities, while new organizations pump out CVEs and reported bugs in WordPress plug-ins surge.

Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence (AI) chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls entirely. "Only a single click on a legitimate Microsoft link is required to compromise victims," Varonis security

The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere. This week’s stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in. Read on to catch up before the next wave hits. Unauthenticated RCE risk Security Flaw in Redis

Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor.