Aggregator

A vulnerability, which was classified as critical, was found in WebKitGTK and WPE WebKit up to 2.50.3. Impacted is an unknown function of the component Web Handler. Such manipulation leads to memory corruption. This vulnerability is listed as CVE-2025-43535. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in WebKitGTK and WPE WebKit up to 2.50.3. This issue affects some unknown processing of the component Web Handler. This manipulation causes race condition. This vulnerability is tracked as CVE-2025-43531. The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in WebKitGTK and WPE WebKit up to 2.50.3. This vulnerability affects unknown code of the component Web Handler. The manipulation results in buffer overflow. This vulnerability is identified as CVE-2025-43501. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

XM Cyber announced an update to its platform that connects External Attack Surface Management with internal risk validation, closing the gap between what’s exposed outside and what exists inside. XM Cyber allows security teams to instantly see not just what is externally exposed, but also gain a strategic view on how external exposures chain together with internal, exploitable vulnerabilities to threaten critical business assets. These enhancements provide a seamless, end-to-end approach, using validated exploitable attack … More →

The post XM Cyber bridges external attack surface management with validated internal attack paths appeared first on Help Net Security.

A vulnerability classified as problematic has been found in Proliz OBS Student Affairs Information System up to 26.5008. This affects an unknown part. The manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-14347. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

«Запасной канал» или новая монополия?

德州检察长 Ken Paxton 起诉五大制造商三星、LG、索尼、海信和 TCL，指控未经同意监视用户。新闻稿指控五大电视制造商使用 Automated Content Recognition(‘ACR’) 技术非法收集用户个人数据，称 ACR 像一个不请自来的隐形数字入侵者。这种软件能每 500 毫秒对电视屏幕进行截图，实时监控观看活动，在用户不知情或未经同意下将这些信息传输回公司。然后出售消费者信息获利，这些信息被用于跨平台投放定向广告。该技术将用户隐私和敏感信息如密码和银行信息置于风险之中。Paxton 的新闻稿还指出，海信和 TCL 总部在中国，称两家公司的中国关系引发了对消费者数据收集的严重担忧。

Hadrian launched the latest iteration of its offensive Agentic AI Platform, designed to take an offensive approach to find external exposures and test them for exploitability. Instead of waiting for attacks to happen, Hadrian’s AI agents act like hackers themselves, probing, testing, and exploiting vulnerabilities before malicious actors ever get the chance. Hackers turn to AI Recent research shows that hackers are increasingly deploying AI and AI agents to carry out attacks. From ransomware gangs … More →

The post Hadrian launches offensive agentic AI to expose vulnerabilities before attackers appeared first on Help Net Security.

U.S. CISA adds a vulnerability impacting multiple products to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Fortinet Multiple Products Improper Verification of Cryptographic Signature Vulnerability, tracked as CVE-2025-59718 (CVSS Score of 9.1), to its Known Exploited Vulnerabilities (KEV) catalog. Threat actors started exploiting two critical flaws, tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS score of 9.1), […]

A new campaign named GhostPoster has leveraged logo files associated with 17 Mozilla Firefox browser add-ons to embed malicious JavaScript code designed to hijack affiliate links, inject tracking code, and commit click and ad fraud. The extensions have been collectively downloaded over 50,000 times, according to Koi Security, which discovered the campaign. The add-ons are no longer available.

Ведомство предупредило о рисках использования «серой» измерительной техники в оборонном секторе.

作者：Bin Wang, Hui Li, Liyang Zhang等 译者：知道创宇404实验室翻译组 原文链接：https://arxiv.org/html/2512.08326v1 摘要 代码仓库中的敏感信息泄露已成为一项关键的安全挑战。传统检测方法依赖正则表达式、指纹特征和高熵计算，存在误报率高的问题，这不仅降低了检测效率，还大幅增加了开发人员的人工筛选负担。近年来，大型语言模型（LL...

英国气象局宣布 2025 年是自 1910 年有记录以来英国阳光最充足的一年。2025 年还有两周结束，但已记录到 1622 小时的日照时间，打破了 2003 年创下的纪录。除 2 月和 10 月外，所有月份日照时间高于平均水平。气候变化正以多种方式影响天气——气温升高、冬季更潮湿、夏季更干燥——但气候变化与日照时长之间的联系仍然不明确。英国气象局表示这一趋势的原因尚不明确。

Администрация президента запустила программу по ускоренному набору IT-специалистов.

A vulnerability described as problematic has been identified in Live Composer Plugin up to 2.0.2 on WordPress. Affected by this issue is some unknown functionality. Executing manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2025-13537. The attack may be launched remotely. There is no exploit available.

A vulnerability marked as problematic has been reported in Ultimate Member Plugin up to 2.11.0 on WordPress. Affected by this vulnerability is the function um_profile_field_filter_hook__youtube_video. Performing manipulation of the argument Value results in cross site scripting. This vulnerability was named CVE-2025-13217. The attack may be initiated remotely. There is no available exploit.

A vulnerability labeled as critical has been found in Ultimate Member Plugin up to 2.11.0 on WordPress. Affected is the function required_perm of the component Setting Handler. Such manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2025-14081. The attack can be launched remotely. No exploit exists.

A vulnerability identified as problematic has been detected in GROWI up to 7.3.3. This impacts an unknown function. This manipulation causes cross-site request forgery. This vulnerability is handled as CVE-2025-64700. The attack can be initiated remotely. There is not any exploit available.

A vulnerability categorized as problematic has been discovered in Arcadia Crafty Controller up to 4.6.1. This affects an unknown function of the component Server MOTD. The manipulation results in cross site scripting. This vulnerability is known as CVE-2025-14701. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in Fuji Electric Monitouch V-SFT-6 up to 6.2.7.0. It has been rated as critical. The impacted element is an unknown function of the component Project File Handler. The manipulation leads to out-of-bounds write. This vulnerability is traded as CVE-2025-53524. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.