#web

Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors

### Summary http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to: - Bypass front-end servers security controls - Launch targeted attacks against active users - Poison web caches Pre-requisites for the exploitation: the web appication has to be deployed behind a reverse-proxy that forwards trailer headers. ### Details The HTTP chunked message parser, after parsing the last body chunk, calls `parseTrailers` (`ember-core/shared/src/main/scala/org/http4s/ember/core/ChunkedEncoding.scala#L122-142`). This method parses the trailer section using `Parser.parse`, where the issue originates. `parse` has a bug that allows to terminate the parsing before finding the double CRLF condition: when it finds an header line that **does not include the colon character**, it continues parsing with `state=false` looking for the header name till reaching the condition `else if (current == lf && (idx > 0 && message(idx...

Law enforcement authorities in Europe have arrested five suspects in connection with an "elaborate" online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain. According to Eurojust, the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts

This week on the Lock and Code podcast, we speak with Peter Dolanjski about the internet's thirst for your data, and how to stay private.

New research from Check Point Research reveals the Iranian cyber group Nimbus Manticore is targeting defence, telecom, and aerospace companies in Europe with fake job offers. Learn how they use advanced malware to steal sensitive data.

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

A lack of restrictions allowed data hoarders to steal sensitive and copyrighted material from the AAPB website for years.

SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems. The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects

Austin, Texas, USA, 23rd September 2025, CyberNewsWire

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Low attack complexity Vendor: Viessmann Equipment: Vitogate 300 Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Client-Side Enforcement of Server-Side Security 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to modify an intended OS command when it is sent to a downstream component, or allow an attacker to cause unexpected interactions between the client and server. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Viessmann Vitogate 300 are affected: Vitogate 300: Versions prior to 3.1.0.1 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78 Vitogate 300 constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could m...