Tag: xss

StealC malware control panel flaw leaks details on active attacker

Jan 19, 2026 5:21 PM

Tags: control, data-breach, flaw, leak, malware, service, threat, xss

Researchers uncovered an XSS flaw in StealC malware’s control panel, exposing key details about a threat actor using the info stealer. StealC is an infostealer that has been active since at least 2023, sold as Malware-as-a-Service to steal cookies and passwords. In 2025, its operators released StealC v2, but the web panel quickly leaked and…
CISA’s secure-software buying tool had a simple XSS vulnerability of its own

Jan 16, 2026 12:51 AM

Tags: cisa, software, tool, vulnerability, xss

A researcher who discovered the vulnerability said it was fixed in December, after he first reported it to the agency in September. First seen on cyberscoop.com Jump to article: cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/
Lack of isolation in agentic browsers resurfaces old vulnerabilities

Jan 13, 2026 7:02 PM

Tags: access, ai, api, attack, authentication, control, corporate, credentials, data, data-breach, defense, dns, email, exploit, finance, flaw, framework, github, google, hacker, healthcare, injection, Internet, leak, linkedin, LLM, malicious, mitigation, network, nvidia, organized, privacy, programming, risk, service, side-channel, threat, tool, training, unauthorized, update, vulnerability, xss

With browser-embedded AI agents, we’re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks. These attacks, which are functionally similar to cross-site scripting (XSS) and cross-site request forgery (CSRF), resurface decades-old patterns…
OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs

Jan 9, 2026 5:01 PM

Tags: attack, flaw, waf, xss

A critical OWASP CRS flaw allows encoded XSS attacks to bypass WAF charset validation. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/owasp-crs-flaw-lets-encoded-attacks-slip-past-wafs/
Ivantis EPM-Systeme anfällig für Angriffe

Dec 11, 2025 2:32 PM

Tags: access, api, authentication, bug, cisa, cve, cvss, cyberattack, exploit, infrastructure, Internet, ivanti, malware, ransomware, social-engineering, software, update, vulnerability, xss

Unternehmen sollten ihre EPM-Systeme von Ivanti so bald wie möglich patchen, da dort schwerwiegende Sicherheitslücken entdeckt wurden.Ivanti hat kürzlich einen schwerwiegenden Fehler in seinen EMP-Systemen gemeldet, der Admin-Sitzungen ohne Authentifizierung erlaubt. Angreifer könnten dadurch möglicherweise Tausende von Unternehmensgeräten kontrollieren.Der Software-Anbieter veröffentlichte die EPM-Version 2024 SU4 SR1, um mehrere Schwachstellen zu beheben. Dazu gehört die kritische…
Ivantis EPM-Systeme anfällig für Angriffe

Dec 11, 2025 2:32 PM

Tags: access, api, authentication, bug, cisa, cve, cvss, cyberattack, exploit, infrastructure, Internet, ivanti, malware, ransomware, social-engineering, software, update, vulnerability, xss

Unternehmen sollten ihre EPM-Systeme von Ivanti so bald wie möglich patchen, da dort schwerwiegende Sicherheitslücken entdeckt wurden.Ivanti hat kürzlich einen schwerwiegenden Fehler in seinen EMP-Systemen gemeldet, der Admin-Sitzungen ohne Authentifizierung erlaubt. Angreifer könnten dadurch möglicherweise Tausende von Unternehmensgeräten kontrollieren.Der Software-Anbieter veröffentlichte die EPM-Version 2024 SU4 SR1, um mehrere Schwachstellen zu beheben. Dazu gehört die kritische…
2025 Year of Browser Bugs Recap:

Dec 10, 2025 8:33 PM

Tags: access, ai, api, attack, authentication, awareness, browser, cctv, chrome, cloud, communications, computer, credentials, crypto, cyber, data, data-breach, detection, edr, email, endpoint, exploit, flaw, gartner, google, guide, identity, injection, leak, login, malicious, malware, network, openai, passkey, password, phishing, ransom, ransomware, risk, saas, service, threat, tool, update, vulnerability, windows, xss, zero-day

At the beginning of this year, we launched the Year of Browser Bugs (YOBB) project, a commitment to research and share critical architectural vulnerabilities in the browser. Inspired by the iconic Months of Bugs tradition in the 2000s, YOBB was started with a similar purpose”Š”, “Što drive awareness and discussion around key security gaps and…
Ivanti warns customers of new EPM flaw enabling remote code execution

Dec 10, 2025 12:32 AM

Tags: cve, endpoint, flaw, ivanti, remote-code-execution, software, vulnerability, xss

Ivanti warns users to address a newly disclosed Endpoint Manager vulnerability that could let attackers execute code remotely. Software firm Ivanti addressed a newly disclosed vulnerability, tracked as CVE-2025-10573 (CVSS score 9.6), in its Endpoint Manager (EPM) solution. The vulnerability is a Stored XSS that could allow a remote unauthenticated attacker to execute arbitrary >>Stored…
CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV

Nov 30, 2025 11:49 AM

Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, kev, linux, software, vulnerability, windows, xss

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via First seen on…
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks

Nov 27, 2025 3:49 PM

Tags: apache, attack, cve, cyber, flaw, malicious, monitoring, tool, vulnerability, xss

A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks

Nov 27, 2025 3:49 PM

Tags: apache, attack, cve, cyber, flaw, malicious, monitoring, tool, vulnerability, xss

A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
Paris, The Thinker, and why your WAF should block XSS by default

Nov 26, 2025 8:49 PM

Tags: waf, xss

With Thales HQ in Paris, it felt right to detour to the MusÃ©e Rodin and stand before The Thinker, the bronze giant by Auguste Rodin whose clenched posture and chin-in-hand stance have become a universal symbol of deep judgment. Conceived for The Gates of Hell in 1880 and first cast monumentally in 1904, The Thinker……
NDSS 2025 EAGLEYE: Exposing Hidden Web Interfaces In loT Devices Via Routing Analysis

Nov 25, 2025 7:49 PM

Tags: access, attack, backdoor, computing, conference, defense, detection, firmware, injection, intelligence, Internet, iot, network, risk, threat, vulnerability, xss

Session4A: IoT Security Authors, Creators & Presenters: Hangtian Liu (Information Engineering University), Lei Zheng (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Shuitao Gan (Laboratory for Advanced Computing and Intelligence Engineering), Chao Zhang (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Zicong Gao (Information Engineering University), Hongqi Zhang (Henan Key Laboratory of Information…
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search

Nov 18, 2025 11:49 PM

Tags: Internet, mobile, network, service, vulnerability, wordpress, xss, zero-day

SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
NDSS 2025 EvoCrawl: Exploring Web Application Code And State Using Evolutionary Search

Nov 18, 2025 11:49 PM

Tags: Internet, mobile, network, service, vulnerability, wordpress, xss, zero-day

SESSION Session 3C: Mobile Security ———– ———– Authors, Creators & Presenters: Xiangyu Guo (University of Toronto), Akshay Kawlay (University of Toronto), Eric Liu (University of Toronto), David Lie (University of Toronto) ———– PAPER EvoCrawl: Exploring Web Application Code and State using Evolutionary Search As more critical services move onto the web, it has become increasingly…
Kibana Vulnerabilities Expose Systems to SSRF and XSS Attacks

Nov 13, 2025 11:49 AM

Tags: advisory, attack, cve, cvss, cyber, data, update, vulnerability, xss

Elastic has released a security advisory addressing an origin validation error in Kibana that could expose systems to Server-Side Request Forgery (SSRF) attacks. The vulnerability, tracked as CVE-2025-37734, affects multiple versions of the popular data visualization and exploration platform and has prompted immediate patching across all affected deployments. CVE ID Vulnerability Affected Versions CVSS Score Fixed Versions…
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+

Nov 7, 2025 7:20 PM

Tags: attack, conference, detection, LLM, network, tool, vulnerability, xss, zero-day

SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+

Nov 7, 2025 7:20 PM

Tags: attack, conference, detection, LLM, network, tool, vulnerability, xss, zero-day

SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
NDSS 2025 YuraScanner: Leveraging LLMs For Task-driven Web App Scanning4+

Nov 7, 2025 7:20 PM

Tags: attack, conference, detection, LLM, network, tool, vulnerability, xss, zero-day

SESSION Session 2B: Web Security Authors, Creators & Presenters: Aleksei Stafeev (CISPA Helmholtz Center for Information Security), Tim Recktenwald (CISPA Helmholtz Center for Information Security), Gianluca De Stefano (CISPA Helmholtz Center for Information Security), Soheil Khodayari (CISPA Helmholtz Center for Information Security), Glancarlo Pellegrino (CISPA Helmholtz Center for Information Security) PAPER YuraScanner: Leveraging LLMs for…
Pi-hole XSS CVE-2025-53533: kritische Sicherheitslücke entdeckt

Oct 28, 2025 2:26 PM

Tags: bug, cve, dns, software, xss

Pi-hole XSS CVE-2025-53533. In der DNS-Software in der Weboberfläche. Der Template-Fehler im Webfrontend kann gravierende Folgen haben. First seen on tarnkappe.info Jump to article: tarnkappe.info/artikel/cyberangriffe/pi-hole-xss-cve-2025-53533-kritische-sicherheitsluecke-entdeckt-322254.html
Cisco Desk, IP, and Video Phones Vulnerable to Remote DoS and XSS Attacks

Oct 17, 2025 11:07 AM

Tags: attack, cisco, communications, cyber, dos, flaw, phone, risk, service, vulnerability, xss

Multiple Cisco desk, IP, and video phones are at risk of remote denial-of-service (DoS) and cross-site scripting (XSS) attacks due to flaws in their Session Initiation Protocol (SIP) software. The weaknesses affect Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models when they are registered to Cisco Unified Communications…
Cisco Desk, IP, and Video Phones Vulnerable to Remote DoS and XSS Attacks

Oct 17, 2025 11:07 AM

Tags: attack, cisco, communications, cyber, dos, flaw, phone, risk, service, vulnerability, xss

Multiple Cisco desk, IP, and video phones are at risk of remote denial-of-service (DoS) and cross-site scripting (XSS) attacks due to flaws in their Session Initiation Protocol (SIP) software. The weaknesses affect Desk Phone 9800 Series, IP Phone 7800 and 8800 Series, and Video Phone 8875 models when they are registered to Cisco Unified Communications…
CISA Warns of Actively Exploited Zero-Day XSS Flaw in Zimbra Collaboration Suite

Oct 9, 2025 9:23 AM

Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, vulnerability, xss, zero-day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent alert concerning an actively exploited zero-day vulnerability in the Zimbra Collaboration Suite (ZCS). The flaw, identified as CVE-2025-27915, is a cross-site scripting (XSS) vulnerability that impacts the ZCS Classic Web Client. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/zimbra-zcs-flaw-cve-2025-27915/
CISA Warns of Actively Exploited Zero-Day XSS Flaw in Zimbra Collaboration Suite

Oct 9, 2025 9:23 AM

Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, vulnerability, xss, zero-day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent alert concerning an actively exploited zero-day vulnerability in the Zimbra Collaboration Suite (ZCS). The flaw, identified as CVE-2025-27915, is a cross-site scripting (XSS) vulnerability that impacts the ZCS Classic Web Client. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/zimbra-zcs-flaw-cve-2025-27915/
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks

Oct 8, 2025 10:50 AM

Tags: attack, cisa, cyber, data, exploit, flaw, malicious, vulnerability, xss, zero-day

CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks

Oct 8, 2025 10:50 AM

Tags: attack, cisa, cyber, data, exploit, flaw, malicious, vulnerability, xss, zero-day

CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
CISA Alerts on Zimbra Collaboration Suite Zero-Day XSS Flaw Exploited in Ongoing Attacks

Oct 8, 2025 10:50 AM

Tags: attack, cisa, cyber, data, exploit, flaw, malicious, vulnerability, xss, zero-day

CISA has issued a warning about a new zero-day cross-site scripting (XSS) flaw in the Zimbra Collaboration Suite (ZCS). This vulnerability is already in use by attackers to hijack user sessions, steal data, and push malicious filters. Organizations running ZCS should move quickly to apply available fixes or follow guidance to limit risk. Overview of…
U.S. CISA adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog

Oct 8, 2025 12:35 AM

Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, kev, vulnerability, xss

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Synacor Zimbra Collaboration Suite (ZCS) flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Synacor Zimbra Collaboration Suite (ZCS) flaw, tracked as CVE-2025-27915, to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-27915 is a stored XSS flaw in Zimbra Collaboration Suite (versions 9.010.1)…
Lectora Desktop and Online XSS Vulnerability Enables JavaScript Injection

Sep 23, 2025 10:16 AM

Tags: cyber, flaw, injection, risk, vulnerability, xss

A critical cross-site scripting (XSS) vulnerability affecting both Lectora Desktop and Lectora Online has been disclosed, enabling attackers to inject JavaScript through crafted URL parameters. Discovered by security researcher Mohammad Jassim and documented by the CERT® Coordination Center on September 22, 2025, this flaw poses a risk of client-side code execution, session hijacking, and user…
Recap of Our “Passkeys Pwned” Talk at DEF CON

Sep 19, 2025 10:16 AM

Tags: access, api, attack, authentication, awareness, best-practice, business, crypto, encryption, endpoint, exploit, fido, flaw, identity, injection, login, malicious, malware, mfa, passkey, risk, saas, supply-chain, technology, threat, training, unauthorized, update, vulnerability, xss

What the “Passkeys Pwned” talk is and isn’t about, and what it reveals about the importance of correct implementation of the standard The Passkeys Pwned Talk Summary As outlined in the DEF CON abstract below, the Passkeys Pwned attack highlights a passkey implementation flaw, specifically that of WebAuthn in the registration and authentication process. The Passkey Pwned…