#web

The application constructs a shell command using unsanitized user input passed to the system() function, calling an external binary for authentication. Due to improper input handling and reliance on the binary's return value for access control, an attacker can inject special characters, such as a double quote (") to manipulate command parsing and induce execution failure. Since the application interprets any non-zero exit code from the binary as successful authentication, this flaw allows remote users to bypass authentication entirely without providing valid credentials.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon M340 and Communication Modules Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon M340: All versions BMXNOR0200H Ethernet/Serial RTU Module: All versions BMXNGD0100 M580 Global Data module: All versions BMXNOC0401 Modicon M340 X80 Ethernet Communication modules: All versions BMXNOE0100 Modbus/TCP Ethernet Modicon M340 module: Versions prior to 3.60 BMXNOE0110 Modbus/TCP Ethernet Modicon M340 FactoryCast module: Versions prior to 6.80 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Improper Input Validation vulnerability exists that could cause a Denial-of-Service when specially crafted FTP com...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: INVT Equipment: VT-Designer and HMITool Vulnerabilities: Out-of-bounds Write, Access of Resource Using Incompatible Type ('Type Confusion') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of INVT VT-Designer and HMITool are affected: VT-Designer: Version 2.1.13 (CVE-2025-7227, CVE-2025-7228, CVE-2025-7229, CVE-2025-7230, CVE-2025-7231) HMITool: Version 7.1.011 (CVE-2025-7223, CVE-2025-7224, CVE-2025-7225, CVE-2025-7226) 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 HMITool is vulnerable to remote attackers who can execute arbitrary code on affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists w...

Zimperium’s research reveals the Hook Android malware is now a hybrid threat, using ransomware and spyware to steal…

alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.

### Summary HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls.

### Summary This issue: http://github.com/mlc-ai/xgrammar/issues/250 should have it's own security advisory. Since several tools accept and pass user supplied grammars to xgrammar, and it is so easy to trigger it seems like a High.

You must have administrator access, and `ALLOW_ADMIN_CHANGES` must be enabled for this to work. https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production Note: This is a follow-up to [GHSA-f3cw-hg6r-chfv](https://github.com/craftcms/cms/security/advisories/GHSA-f3cw-hg6r-chfv) Users should update to the patched versions (4.16.6 and 5.8.7) to mitigate the issue. References: https://github.com/craftcms/cms/pull/17612

Prompt injection attacks could be coming to an AI browser near you. Read on to understand what these attacks do and how to stay safe.

FortiGuard Labs warns of a global phishing campaign that delivers UpCrypter malware, giving hackers complete control of infected…