Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-mq8m-42gh-wq7r: Gogs vulnerable to a bypass of CVE-2024-55947

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

ghsa
Open in Source
#vulnerability#web#auth
GhostFrame phishing kit fuels widespread attacks against millions

GhostFrame uses dynamic subdomains and hidden iframes to help attackers slip past basic security tools.

Webinar: How Attackers Exploit Cloud Misconfigurations Across AWS, AI Models, and Kubernetes

Cloud security is changing. Attackers are no longer just breaking down the door; they are finding unlocked windows in your configurations, your identities, and your code. Standard security tools often miss these threats because they look like normal activity. To stop them, you need to see exactly how these attacks happen in the real world. Next week, the Cortex Cloud team at Palo Alto Networks

Ukrainian Woman in US Custody for Aiding Russian NoName057 Hacker Group

Ukrainian national Victoria Dubranova is in U.S. custody, accused of supporting Russian hacker group NoName057 in cyberattacks on critical infrastructure. She has pleaded not guilty.

Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild. Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution. The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and

GHSA-8fxj-2g9q-8fjw: Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability

fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.

GHSA-4c65-9gqf-4w8h: Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool

### Summary A command injection vulnerability is present in the function tool `run_ssh_command_with_credentials()` available to AI agents. ### Details This is the source code of the function tool `run_ssh_command_with_credentials()` ([code](https://github.com/aliasrobotics/cai/blob/0.5.9/src/cai/tools/command_and_control/sshpass.py#L20)): ```python @function_tool def run_ssh_command_with_credentials( host: str, username: str, password: str, command: str, port: int = 22) -> str: """ Execute a command on a remote host via SSH using password authentication. Args: host: Remote host address username: SSH username password: SSH password command: Command to execute on remote host port: SSH port (default: 22) Returns: str: Output from the remote command execution """ # Escape special characters in password and command to prevent shell injection escaped_password = password.r...

Spiderman Phishing Kit Targets European Banks with Real-Time Credential Theft

Varonis threat analysts warn about Spiderman, a dangerous new kit that automates attacks against European banks and crypto customers, stealing a victim’s full identity profile.

The Dark Web Economy Behind Ad Fraud: What Marketers Don’t See

Ad fraud networks use bots, deepfakes and spoofed traffic to drain PPC budgets. This report shows how fake clicks distort performance data.