Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Browser Extensions Can Exploit ChatGPT, Gemini in ‘Man in the Prompt’ Attack

Man in the Prompt attack shows how browser extensions can exploit ChatGPT, Gemini and other AI tools to steal data or inject hidden prompts.

HackRead
Open in Source
#vulnerability#web#google#git#intel
Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

Ilevia EVE X1 Server 4.7.18.0.eden (db_log) Pre-Auth File Disclosure

The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'db_log' POST parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

Using LLMs as a reverse engineering sidekick

LLMs may serve as powerful assistants to malware analysts to streamline workflows, enhance efficiency, and provide actionable insights during malware analysis.

IR Trends Q2 2025: Phishing attacks persist as actors leverage compromised valid accounts to enhance legitimacy

Phishing remained the top initial access method in Q2 2025, while ransomware incidents see the emergence of new Qilin tactics.

GHSA-72ww-4rcw-mc62: Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability in the Image Plugin

A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later.

GHSA-rrff-chj9-w4c7: Apache JSPWiki Cross-Site Scripting (XSS) Vulnerability via Header Link Rendering

A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later.

.NET Bounty Program now offers up to $40,000 in awards 

We’re excited to announce significant updates to the Microsoft .NET Bounty Program. These changes expand the program’s scope, simplify the award structure, and offer great incentives for security researchers. The .NET Bounty Program now offers awards up to $40,000 USD for vulnerabilities impacting the .NET and ASP.NET Core (including Blazor and Aspire).

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Threat actors are actively exploiting a critical security flaw in "Alone – Charity Multipurpose Non-profit WordPress Theme" to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug. According to Wordfence, the shortcoming relates to an arbitrary file upload

Tonic Security Harnesses AI to Combat Remediation Challenges

Attackers are becoming faster at exploiting vulnerabilities, but this startup seeks to stop threats before they lead to breaches.