Aggregator

A vulnerability described as problematic has been identified in Facebook Pixel up to 7.x-1.1 on Drupal. The impacted element is an unknown function. Such manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2025-14557. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in Neoteroi BlackSheep up to 2.4.5. It has been classified as critical. This affects an unknown function. The manipulation leads to http response splitting. This vulnerability is traded as CVE-2026-22779. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in Juniper Junos OS up to 22.2R1 on MX. Impacted is an unknown function of the component Advanced Forwarding Management. This manipulation causes out-of-bounds read. This vulnerability is handled as CVE-2024-30401. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability classified as critical has been found in Mahlamusa Multi Purpose Mail Form Plugin up to 1.0.2 on WordPress. This impacts an unknown function. The manipulation leads to unrestricted upload. This vulnerability is referenced as CVE-2024-50526. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in YouPHPTube up to 7.8 and classified as critical. The affected element is an unknown function of the file locale/function.php. Executing a manipulation of the argument lang can lead to path traversal. This vulnerability appears as CVE-2021-47749. The attack requires local access. In addition, an exploit is available.

A vulnerability classified as critical was found in HPE ArubaOS up to 8.10.0.20/8.13.1.0. This affects an unknown function. Executing a manipulation can lead to command injection. This vulnerability is tracked as CVE-2025-37176. The attack can be launched remotely. No exploit exists.

A vulnerability described as critical has been identified in Wux Blog Editor Plugin up to 3.0.0 on WordPress. This affects an unknown part. Such manipulation leads to unrestricted upload. This vulnerability is listed as CVE-2024-9932. The attack may be performed from remote. There is no available exploit.

A coordinated campaign has been observed targeting a recently disclosed critical-severity vulnerability that has been present in the GNU InetUtils telnetd server for 11 years. [...]

Американские инвесторы получили контрольный пакет акций в новом проекте TikTok USDS.

For years, cybersecurity strategy revolved around a simple goal: keep attackers out. That mindset no longer matches reality. Today’s threat landscape assumes compromise. Adversaries do not just encrypt data and demand payment. They exfiltrate it, resell it, reuse it, and weaponize it long after the initial breach. As we look toward 2026, cyber resilience, not..

The post The New Rules of Cyber Resilience in an AI-Driven Threat Landscape appeared first on Security Boulevard.

A vulnerability described as critical has been identified in Samba. The impacted element is an unknown function of the component Bad Password Lockout. Such manipulation leads to race condition. This vulnerability is documented as CVE-2021-20251. The attack can be executed remotely. There is not any exploit available. Applying a patch is advised to resolve this issue.

A vulnerability classified as critical was found in Oracle Database 18c. This issue affects some unknown processing of the component Core RDBMS. Executing a manipulation can lead to numeric error. The identification of this vulnerability is CVE-2016-9843. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability labeled as problematic has been found in Linux Kernel up to 5.12/6.1.82/6.6.22/6.7.10/6.8.1. This vulnerability affects unknown code of the component nvme. Such manipulation leads to allocation of resources. This vulnerability is documented as CVE-2024-27435. The attack requires being on the local network. There is not any exploit available. The affected component should be upgraded.

A vulnerability was found in Linux Kernel up to 5.15.159/6.1.91/6.6.31/6.8.10/6.9.1. It has been declared as critical. This affects an unknown function of the component mediatek. The manipulation results in memory corruption. This vulnerability is reported as CVE-2024-36965. The attacker must have access to the local network to execute the attack. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability labeled as critical has been found in Linux Kernel up to 5.15.152/6.1.82/6.6.22/6.7.10/6.8.1. The affected element is the function mtk_ppe_stop of the component Ethernet. Executing a manipulation can lead to denial of service. This vulnerability is registered as CVE-2024-27432. The attack requires access to the local network. No exploit is available. The affected component should be upgraded.

Artificial intelligence (AI) systems rarely fail in obvious ways. No red error screen. No crashed service. No broken button. They fail quietly. Outputs look confident...Read More

The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on ISHIR | Custom AI Software Development Dallas Fort-Worth Texas.

The post Shift Left QA for AI Systems. Catching Model Risk Before Production appeared first on Security Boulevard.

Session 9D: Github + OSN Security

Authors, Creators & Presenters: Jan-Ulrich Holtgrave (CISPA Helmholtz Center for Information Security), Kay Friedrich (CISPA Helmholtz Center for Information Security), Fabian Fischer (CISPA Helmholtz Center for Information Security), Nicolas Huaman (Leibniz University Hannover), Niklas Busch (CISPA Helmholtz Center for Information Security), Jan H. Klemmer (CISPA Helmholtz Center for Information Security), Marcel Fourné (Paderborn University), Oliver Wiese (CISPA Helmholtz Center for Information Security), Dominik Wermke (North Carolina State University), Sascha Fahl (CISPA Helmholtz Center for Information Security)

PAPER
Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security

Critical open-source projects form the basis of many large software systems. They provide trusted and extensible implementations of important functionality for cryptography, compatibility, and security. Verifying commit authorship authenticity in open-source projects is essential and challenging. Git users can freely configure author details such as names and email addresses. Platforms like GitHub use such information to generate profile links to user accounts. We demonstrate three attack scenarios malicious actors can use to manipulate projects and profiles on GitHub to appear trustworthy. We designed a mixed-research study to assess the effect on critical open-source software projects and evaluated countermeasures. First, we conducted a large-scale measurement among 50,328 critical open-source projects on GitHub and demonstrated that contribution workflows can be abused in 85.9% of the projects. We identified 573,043 email addresses that a malicious actor can claim to hijack historic contributions and improve the trustworthiness of their accounts. When looking at commit signing as a countermeasure, we found that the majority of users (95.4%) never signed a commit, and for the majority of projects (72.1%), no commit was ever signed. In contrast, only 2.0% of the users signed all their commits, and for 0.2% of the projects all commits were signed. Commit signing is not associated with projects' programming languages, topics, or other security measures. Second, we analyzed online security advice to explore the awareness of contributor spoofing and identify recommended countermeasures. Most documents exhibit awareness of the simple spoofing technique via Git commits but no awareness of problems with GitHub's handling of email addresses.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – Attributing Open-Source Contributions Is Critical But Difficult appeared first on Security Boulevard.

意大利公司 Bending Spoons 在 2023 年收购知名笔记应用印象笔记（Evernote）后解雇了所有员工，它在 2025 年 9 月以 13.8 亿美元收购视频网站 Vimeo 后做了同样的事情。Vimeo 前品牌副总裁 Dave Brown 在 LinkedIn 上表示，裁员影响了“公司大部分员工”。一位视频工程师称“几乎所有人”都被解雇了，“包括整个视频团队”，另一位软件工程师表示他和“公司绝大多数人”一起失去了工作。

GitHub-CVE 监控平台 by ourren

我对流量安全风险感知的思考和实践 by ourren

2026汽车及智能化设备网络安全威胁报告 by ourren

杀伤链与作战管理深化研究 by ourren

国外星间组网技术发展调研报告 by ourren

Annual Security Reports 年度安全报告 by ourren

2025年全球国防网络空间情况综述（演习竞赛篇） by ourren

更多最新文章，请访问SecWiki

A vulnerability, which was classified as problematic, was found in PHP up to 8.1.7. This issue affects the function finfo_buffer of the component libmagic. The manipulation results in free of memory not on the heap. This vulnerability is reported as CVE-2022-31627. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.