Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Travelers to the UK targeted in ETA scams

Some scammers are selling ETA documents at exaggerated prices, and others are after your personal and financial data.

Malwarebytes
Open in Source
#web#mac#git#auth
Feds Seize VerifTools.Net, Operators Relaunch with VerifTools.com

Authorities in the United States and the Netherlands have seized VerifTools, a marketplace selling fake IDs for cybercrime.…

WhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…

Hackers Exploit CrushFTP Zero-Day to Take Over Servers

WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers gain admin access via the…

SSA Whistleblower’s Resignation Email Mysteriously Disappeared From Inboxes

Less than 30 minutes after the Social Security Administration’s chief data officer resigned following a whistleblower complaint, recipients could no longer access the resignation email.

GHSA-xv57-4mr9-wg8v: Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated. More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)

GHSA-876g-49r6-33qj: Liferay Portal allows improper access through the expandoTableLocalService

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.

GHSA-9q78-27f3-2jmh: webp crate may expose memory contents when encoding an image

Affected versions of this crate did not check that the input slice passed to `"webp::Encoder::encode()` is large enough for the specified image dimensions. If the input slice is too short, the library will read out of bounds of the buffer and encode other memory contents as an image, resulting in memory exposure or a segmentation fault. The flaw was corrected in [pull request #44](https://github.com/jaredforth/webp/pull/44) by always validating the input buffer size when constructing the encoder.

GHSA-hw6f-rjfj-j7j7: Eventlet affected by HTTP request smuggling in unparsed trailers

### Impact The Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to: - Bypass front-end security controls - Launch targeted attacks against active site users - Poison web caches ### Patches Problem has been patched in eventlet 0.40.3. The patch just drops trailers. If a backend behind eventlet.wsgi proxy requires trailers, then this patch BREAKS your setup. ### Workarounds Do not use eventlet.wsgi facing untrusted clients. ### References - Patch https://github.com/eventlet/eventlet/pull/1062 - This issue is similar to https://github.com/advisories/GHSA-9548-qrrj-x5pj

Fake Facebook Ads Push Brokewell Spyware to Android Users

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…