Tag: xss
-
PolyShell flaw exposes Magento and Adobe Commerce to file upload attacks
Sansec found a Magento and Adobe Commerce REST API flaw, named PolyShell, which allows unauthenticated file uploads and possible XSS in older versions. Sansec disclosed a critical flaw in the Magento and Adobe Commerce REST API that allows attackers to upload executable files without authentication. The issue affects versions up to 2.4.9-alpha2 and could also…
-
The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail
The post The Invisible Breach: ‘Operation GhostMail’ Uses Zero-Click XSS to Hijack Ukrainian Webmail appeared first on Daily CyberSecurity. First seen on securityonline.info Jump to article: securityonline.info/invisible-breach-operation-ghostmail-zero-click-xss-ukraine/
-
Russian APT targets Ukraine via Zimbra XSS flaw CVE-2025-66376
Russian APT exploits a critical XSS flaw in Zimbra, tracked as CVE-2025-66376, running scripts via HTML emails to target users in Ukraine. Russia-linked threat actor exploits a high-severity XSS vulnerability, tracked as CVE-2025-66376 (CVSS score of 7.2), in Zimbra Collaboration. Attackers exploited insufficiently sanitized HTML emails to run scripts when opened, targeting users in Ukraine.…
-
CISA orders feds to patch Zimbra XSS flaw exploited in attacks
CISA has ordered U.S. government agencies to secure their servers against an actively exploited vulnerability in the Zimbra Collaboration Suite (ZCS). First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-zimbra-xss-flaw-exploited-in-attacks/
-
Angular XSS Vulnerability Threatens Thousands of Web Applications
A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-32635, has been discovered in Angular, one of the world’s most widely used web application frameworks. This flaw resides in the Angular runtime and compiler and affects internationalisation (i18n) attribute bindings. If exploited, it allows threat actors to bypass built-in sanitisation mechanisms and cleanly inject malicious scripts…
-
Angular i18n Flaw Lets Hackers Execute Malicious Code via Critical XSS Vulnerability
A high-severity security flaw has been discovered in Angular, one of the most popular web application frameworks. This vulnerability, tracked as CVE-2026-27970, affects the framework’s internationalization (i18n) pipeline. If exploited, it allows attackers to execute malicious code within an application, posing a significant risk to user data and application integrity. The Core of the Vulnerability…
-
Stored XSS Vulnerability in RustFS Console Puts S3 Admin Credentials at Risk
A critical security flaw has been identified in the RustFS Console, exposing administrators to a high risk of account takeover. Tracked as CVE-2026-27822, this Stored Cross-Site Scripting (XSS) vulnerability carries a critical CVSS v3 score of 10.0 and affects versions of the Rust package before 1.0.0-alpha.82. The vulnerability allows an attacker to execute arbitrary JavaScript…
-
Firefox 148 Unveils New Sanitizer API to Mitigate XSS Attacks in Web Applications
Firefox has launched a major update to help protect web applications from Cross-Site Scripting (XSS) attacks. With the release of Firefox 148, Mozilla introduces the new standardized Sanitizer API, making it the first browser to ship this built-in security tool. This new feature gives web developers an easy way to clean up untrusted code before…
-
Multiple Zero-Day Flaws in PDF Platforms Enable XSS and One-Click Attacks
16 zero-day security flaws found in Foxit and Apryse PDF platforms could lead to account takeover and RCE. Learn how AI identified these risks. First seen on hackread.com Jump to article: hackread.com/zero-day-flaws-pdf-platforms-xss-one-click-attacks/
-
Jenkins Vulnerabilities Exposes Build Environments to XSS Attacks
A popular open-source automation server used by developers worldwide to build, test, and deploy software faces serious security risks from recent flaws. On February 18, 2026, two vulnerabilities were detailed in the core Jenkins software. The most significant issue is a stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into…
-
Critical Jenkins Flaw Exposes Build Environments to XSS Attacks
A popular open-source automation server used by developers worldwide to build, test, and deploy software faces serious security risks from recent flaws. On February 18, 2026, two vulnerabilities were detailed in the core Jenkins software. The most critical issue is a stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into…
-
Critical Jenkins Flaw Exposes Build Environments to XSS Attacks
A popular open-source automation server used by developers worldwide to build, test, and deploy software faces serious security risks from recent flaws. On February 18, 2026, two vulnerabilities were detailed in the core Jenkins software. The most critical issue is a stored cross-site scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into…
-
XSS Bug in VS Code Extension Exposed Local Files
An XSS flaw in the VS Code Live Preview extension exposed developers’ local files and credentials through the localhost server. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/xss-bug-in-vs-code-extension-exposed-local-files/
-
Flaws in four popular VS Code extensions left 128 million installs open to attack
Tags: access, api, attack, cloud, credentials, cve, flaw, infrastructure, malicious, microsoft, risk, supply-chain, tool, update, vulnerability, xssMicrosoft quietly patched its own extension: The fourth vulnerability played out differently. Microsoft’s Live Preview extension, with 11 million downloads, contained a cross-site scripting flaw that, according to OX Security, let a malicious web page enumerate files in the root of a developer’s machine and exfiltrate credentials, access keys, and other secrets.The researchers reported the…
-
Zimbra Issues Security Update to Address XSS, XXE, and LDAP Injection Flaws
Zimbra has officially released a critical security update, version 10.1.16, addressing multiple high-severity vulnerabilities that could compromise email infrastructure and user data. The company has classified this patch with a >>High<< security severity rating, urging administrators to prioritize the upgrade to mitigate risks associated with web-based attacks. The update primarily focuses on closing gaps related…
-
FortiSandbox XSS Vulnerability Allows Remote Command Execution
Fortinet disclosed an XSS flaw in FortiSandbox that could allow unauthenticated remote command execution. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/fortisandbox-xss-vulnerability-allows-remote-command-execution/
-
Foxit Releases Security Updates for PDF Editor Cloud XSS Vulnerabilities
Foxit Software has released security updates addressing multiple cross-site scripting (XSS) vulnerabilities affecting Foxit PDF Editor Cloud and Foxit eSign, closing gaps that could have allowed attackers to execute arbitrary JavaScript within a user’s browser. The patches were issued as part of Foxit’s ongoing security and stability improvements, with the most recent update for Foxit PDF Editor Cloud released…
-
StealC malware control panel flaw leaks details on active attacker
Researchers uncovered an XSS flaw in StealC malware’s control panel, exposing key details about a threat actor using the info stealer. StealC is an infostealer that has been active since at least 2023, sold as Malware-as-a-Service to steal cookies and passwords. In 2025, its operators released StealC v2, but the web panel quickly leaked and…
-
CISA’s secure-software buying tool had a simple XSS vulnerability of its own
A researcher who discovered the vulnerability said it was fixed in December, after he first reported it to the agency in September. First seen on cyberscoop.com Jump to article: cyberscoop.com/cisa-secure-software-buying-tool-had-a-simple-xss-vulnerability-of-its-own/
-
OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs
A critical OWASP CRS flaw allows encoded XSS attacks to bypass WAF charset validation. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/owasp-crs-flaw-lets-encoded-attacks-slip-past-wafs/
-
2025 Year of Browser Bugs Recap:
Tags: access, ai, api, attack, authentication, awareness, browser, cctv, chrome, cloud, communications, computer, credentials, crypto, cyber, data, data-breach, detection, edr, email, endpoint, exploit, flaw, gartner, google, guide, identity, injection, leak, login, malicious, malware, network, openai, passkey, password, phishing, ransom, ransomware, risk, saas, service, threat, tool, update, vulnerability, windows, xss, zero-dayAt the beginning of this year, we launched the Year of Browser Bugs (YOBB) project, a commitment to research and share critical architectural vulnerabilities in the browser. Inspired by the iconic Months of Bugs tradition in the 2000s, YOBB was started with a similar purpose”Š”, “Što drive awareness and discussion around key security gaps and…
-
Ivanti warns customers of new EPM flaw enabling remote code execution
Ivanti warns users to address a newly disclosed Endpoint Manager vulnerability that could let attackers execute code remotely. Software firm Ivanti addressed a newly disclosed vulnerability, tracked as CVE-2025-10573 (CVSS score 9.6), in its Endpoint Manager (EPM) solution. The vulnerability is a Stored XSS that could allow a remote unauthenticated attacker to execute arbitrary >>Stored…
-
CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV
Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, kev, linux, software, vulnerability, windows, xssThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via First seen on…
-
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks
A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
-
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks
A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
-
Paris, The Thinker, and why your WAF should block XSS by default
With Thales HQ in Paris, it felt right to detour to the Musée Rodin and stand before The Thinker, the bronze giant by Auguste Rodin whose clenched posture and chin-in-hand stance have become a universal symbol of deep judgment. Conceived for The Gates of Hell in 1880 and first cast monumentally in 1904, The Thinker……
-
NDSS 2025 EAGLEYE: Exposing Hidden Web Interfaces In loT Devices Via Routing Analysis
Session4A: IoT Security Authors, Creators & Presenters: Hangtian Liu (Information Engineering University), Lei Zheng (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Shuitao Gan (Laboratory for Advanced Computing and Intelligence Engineering), Chao Zhang (Institute for Network Sciences and Cyberspace (INSC), Tsinghua University), Zicong Gao (Information Engineering University), Hongqi Zhang (Henan Key Laboratory of Information…