Tag: flaw
-
GitLab warns of high-severity 2FA bypass, denial-of-service flaws
GitLab has patched a high-severity two-factor authentication bypass impacting community and enterprise editions of its software development platform. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/gitlab-warns-of-high-severity-2fa-bypass-denial-of-service-flaws/
-
Azure DNS Behavior Can Turn Private Endpoints Into DoS Risks
A DNS flaw in Azure Private Link can trigger DoS-like outages across linked VNETs. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/azure-dns-behavior-can-turn-private-endpoints-into-dos-risks/
-
GitLab Security Flaws Could Allow Two-Factor Authentication Bypass and DoS
GitLab has released critical security patches addressing multiple vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE). Versions 18.8.2, 18.7.2, and 18.6.4 are now available to fix flaws that enable two-factor authentication bypass and denial-of-service attacks. GitLab strongly recommends that all self-managed installations upgrade immediately, while GitLab.com has already deployed the patches. Critical Authentication…
-
NVIDIA Nsight Graphics on Linux Exposed to Code Execution Vulnerability
NVIDIA has released an urgent security update addressing a critical vulnerability in NSIGHT Graphics for Linux systems. The vulnerability, tracked as CVE-2025-33206, allows attackers to execute arbitrary code through command injection, posing significant risks to development and graphics analysis workflows. Vulnerability Overview The flaw exists in NVIDIA NSIGHT Graphics across all Linux versions prior to…
-
GNU InetUtils Vulnerability Exploited via “-f root” to Achieve Full System Control
A critical authentication bypass vulnerability in GNU InetUtils’ telnetd server allows remote attackers to gain root access without credentials by exploiting improper parameter sanitization. GNU InetUtils versions 1.9.3 through 2.7 contain a high-severity authentication bypass vulnerability in the telnetd server that enables unauthenticated remote attackers to achieve full system compromise. The flaw stems from insufficient…
-
Critical Zoom Vulnerability Enables Remote Code Execution via Command Injection
A critical command injection vulnerability in Zoom Node Multimedia Routers (MMRs) has been disclosed, potentially allowing meeting participants to execute arbitrary code on vulnerable systems. The flaw affects Zoom Node Meetings Hybrid and Meeting Connector deployments, requiring immediate patching across enterprise environments. Vulnerability Overview Zoom Offensive Security identified a command injection flaw in Zoom Node…
-
Vulnerability prioritization beyond the CVSS number
Tags: automation, container, credentials, cve, cvss, data, docker, endpoint, flaw, github, identity, network, open-source, risk, service, update, vulnerability, vulnerability-managementA different way to look at vulnerabilities: This is where the unified linkage model (ULM) comes in. Instead of asking, “How bad is this vulnerability on its own?” ULM asks, “What can this vulnerability affect once it starts moving?”It focuses on three kinds of relationships:Adjacency: Systems that sit side by side and can influence each…
-
Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs
Security vulnerabilities were uncovered in the popular open-source artificial intelligence (AI) framework Chainlit that could allow attackers to steal sensitive data, which may allow for lateral movement within a susceptible organization.Zafran Security said the high-severity flaws, collectively dubbed ChainLeak, could be abused to leak cloud environment API keys and steal sensitive files, or First seen…
-
CERT/CC Warns binary-parser Bug Allows Node.js Privilege-Level Code Execution
A security vulnerability has been disclosed in the popular binary-parser npm library that, if successfully exploited, could result in the execution of arbitrary JavaScript.The vulnerability, tracked as CVE-2026-1245 (CVSS score: N/A), affects all versions of the module prior to version 2.3.0, which addresses the issue. Patches for the flaw were released on November 26, 2025.Binary-parser…
-
Chrome 144 Released to Fix High-Severity V8 JavaScript Engine Flaw
Google has released Chrome version 144.0.7559.96/.97 to the stable channel across Windows, Mac, and Linux platforms, addressing a critical race condition vulnerability in the V8 JavaScript engine. The update is rolling out gradually to users over the coming days and weeks. Security Update Details The latest stable release patches one significant security vulnerability tracked as…
-
Chrome 144 Released to Fix High-Severity V8 JavaScript Engine Flaw
Google has released Chrome version 144.0.7559.96/.97 to the stable channel across Windows, Mac, and Linux platforms, addressing a critical race condition vulnerability in the V8 JavaScript engine. The update is rolling out gradually to users over the coming days and weeks. Security Update Details The latest stable release patches one significant security vulnerability tracked as…
-
Flaws in Chainlit AI dev framework expose servers to compromise
/proc/self/environ file is used to store environment variables, and these can contain API keys, credentials, internal file paths, database paths, tokens for AWS and other cloud services, and even CHAINLIT_AUTH_SECRET, a secret that’s used to sign authentication tokens when authentication is enabled.On top of that, if LangChain is used as the orchestration layer behind Chainlit…
-
New iOS and iPadOS Flaws Leave Millions of iPhones at Risk
Critical iOS and iPadOS WebKit flaws put millions of iPhones and iPads at risk of silent takeover. Apple urges users to update immediately. The post New iOS and iPadOS Flaws Leave Millions of iPhones at Risk appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-ios-ipad-os-flaws-iphones-at-risk/
-
Google Gemini Flaw Let Attackers Access Private Calendar Data
Security researchers found a Google Gemini flaw that let hidden instructions in a meeting invite extract private calendar data and create deceptive events. The post Google Gemini Flaw Let Attackers Access Private Calendar Data appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-google-gemini-flaw-private-calendar-data/
-
Why Smart Contract Security Can’t Wait for >>Better<< AI Models
The numbers tell a stark story: $1.42 billion lost across 149 documented incidents in 2024 due to smart contract vulnerabilities, with access control flaws accounting for $953.2 million in damages alone. While the Web3 community debates the perfect AI solution for smart contract security, billions continue to drain from protocols that could have been protected..…
-
Critical TP-Link VIGI camera flaw allowed remote takeover of surveillance systems
TP-Link fixed a critical flaw that exposed over 32 VIGI C and VIGI InSight camera models to remote hacking, with over 2,500 internet-exposed devices identified. TP-Link fixed a high-severity flaw, tracked as CVE-2026-0629 (CVSS score 8.7), affecting over 32 VIGI C and VIGI InSight camera models. The vulnerability lets attackers on a local network bypass…
-
Critical TP-Link VIGI camera flaw allowed remote takeover of surveillance systems
TP-Link fixed a critical flaw that exposed over 32 VIGI C and VIGI InSight camera models to remote hacking, with over 2,500 internet-exposed devices identified. TP-Link fixed a high-severity flaw, tracked as CVE-2026-0629 (CVSS score 8.7), affecting over 32 VIGI C and VIGI InSight camera models. The vulnerability lets attackers on a local network bypass…
-
Critical TP-Link VIGI camera flaw allowed remote takeover of surveillance systems
TP-Link fixed a critical flaw that exposed over 32 VIGI C and VIGI InSight camera models to remote hacking, with over 2,500 internet-exposed devices identified. TP-Link fixed a high-severity flaw, tracked as CVE-2026-0629 (CVSS score 8.7), affecting over 32 VIGI C and VIGI InSight camera models. The vulnerability lets attackers on a local network bypass…
-
Google Gemini Flaw Turns Calendar Invites Into Attack Vector
The indirect prompt injection vulnerability allows an attacker to weaponize calendar invites to circumvent Google’s privacy controls and access private data. First seen on darkreading.com Jump to article: www.darkreading.com/cloud-security/google-gemini-flaw-calendar-invites-attack-vector
-
Chainlit Security Flaws Highlight Infrastructure Risks in AI Apps
2 security vulnerabilities in the Chainlit framework expose risks from web flaws in AI applications First seen on infosecurity-magazine.com Jump to article: www.infosecurity-magazine.com/news/chainlit-security-flaws-ai-apps/
-
New Windows Flaw Lets Attackers Bypass Mark of the Web
Microsoft patched a Windows Remote Assistance flaw that lets attackers bypass Mark of the Web, weakening protections against malicious downloads and phishing files. The post New Windows Flaw Lets Attackers Bypass Mark of the Web appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-windows-flaw-bypass-mark-of-the-web/
-
Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution
A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions.”These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant…
-
Anthropic quietly fixed flaws in its Git MCP server that allowed for remote code execution
Prompt injection for the win First seen on theregister.com Jump to article: www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/
-
AWS Console Supply Chain Flaw Could Have Enabled GitHub Repo Hijacks
Wiz says an AWS CodeBuild flaw could have enabled GitHub repo hijacks, though AWS reports no impact. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/aws-console-supply-chain-flaw-could-have-enabled-github-repo-hijacks/
-
Cisco Secure Email Appliance RCE Exploited in Attacks
Cisco says attackers are actively exploiting CVE-2025-20393, a critical RCE flaw in Secure Email appliances. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cisco-secure-email-appliance-rce-exploited-in-attacks/
-
Cisco Secure Email Appliance RCE Exploited in Attacks
Cisco says attackers are actively exploiting CVE-2025-20393, a critical RCE flaw in Secure Email appliances. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cisco-secure-email-appliance-rce-exploited-in-attacks/
-
Cisco Secure Email Appliance RCE Exploited in Attacks
Cisco says attackers are actively exploiting CVE-2025-20393, a critical RCE flaw in Secure Email appliances. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/cisco-secure-email-appliance-rce-exploited-in-attacks/
-
Apache Airflow Flaws Expose Sensitive Workflow Data to Potential Attackers
Apache Airflow has patched two separate credential-exposure vulnerabilities in versions before 3.1.6. The flaws could allow attackers to extract sensitive authentication data embedded in proxy configurations and templated workflow fields through log files and the web UI, potentially compromising networkinfrastructureand sensitive data pipelines. The first vulnerability affects Apache Airflow versions before 3.1.6 and stems from…
-
Cloudflare Zero-Day Let Attackers Bypass WAF via ACME Certificate Validation Path
A critical zero-day vulnerability in Cloudflare exposed a fundamental weakness in how security exceptions are handled at scale. The flaw allowed attackers to bypass Cloudflare’s Web Application Firewall (WAF) entirely and directly access protected origin servers by abusing a certificate validation endpoint. The issue was not caused by customer misconfiguration, but by a logic error…