#web

LLama-Index CLI prior to v0.4.1, corresponding to LLama-Index prior to v0.12.21, contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system.

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability allows attackers to bypass the security mechanisms of InLong JDBC and leads to arbitrary file reading. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11747

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 through 2.1.0. This vulnerability is a secondary mining bypass for CVE-2024-26579. Users are advised to upgrade to Apache InLong's 2.2.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/11732

Affiliate marketing is a powerful tool for promoting brands. However, with its popularity gaining traction, more dishonest affiliate…

## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save".  - Next, use the "Trigger" function and use Burp Suite to capture the request / response  ...

Adidas confirms cyber attack compromising customer data, joining other major retailers targeted by advanced threats and rising cybersecurity risks.

A huge dataset with all kinds of sensitive information, likely to be the result of infostealers, has been found unsecured online.

There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible…

Cybersecurity researchers have disclosed a new malicious campaign that uses a fake website advertising antivirus software from Bitdefender to dupe victims into downloading a remote access trojan called Venom RAT. The campaign indicates a "clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems," the

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.3 ATTENTION: Low attack complexity Vendor: Johnson Controls Inc. Equipment: iSTAR Configuration Utility (ICU) tool Vulnerability: Use of Uninitialized Variable 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an attacker to gain access to memory leaked from the ICU. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Johnson Controls reports the following versions of ICU are affected: ICU: All versions prior to 6.9.5 3.2 VULNERABILITY OVERVIEW 3.2.1 USE OF UNINITIALIZED VARIABLE CWE-457 The iSTAR Configuration Utility (ICU) tool leaks memory, which could result in unintended exposure of unauthorized data. CVE-2025-26383 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-26383. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/...