Aggregator

AI Agent Can Access File Upload API to Exfiltrate Documents
Security researchers have demonstrated how Anthropic's new Claude Cowork productivity agent can be tricked into stealing user files and uploading them to an attacker's account, exploiting a vulnerability the company allegedly knew about.

AI Agent Can Access File Upload API to Exfiltrate Documents
Security researchers have demonstrated how Anthropic's new Claude Cowork productivity agent can be tricked into stealing user files and uploading them to an attacker's account, exploiting a vulnerability the company allegedly knew about.

via the comic artistry and dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Funny Numbers’ appeared first on Security Boulevard.

ChatGPT Health promises robust data protection, but elements of the rollout raise big questions regarding user security and safety.

Visualize web and API coverage, validate attack paths, and confirm every executed action with screenshots and logs in Escape

The post How to Visualize Web & API Coverage with Screenshots and Validate Attack Paths in Escape appeared first on Security Boulevard.

The Weekly Whiskey 01/19/2025

Как физики-ядерщики спасли китайские смартфоны и дата-центры.

Acuity Insurance Allegedly Breached, Exposing 9 Million Illinois Customer Records with Detailed Demographics

A seemingly simple phone call became the gateway to a sophisticated attack that diverted employee paychecks without any malware or network breach. An organization discovered this fraud when workers reported missing salary deposits. The attacker had modified direct-deposit information to funnel payments into accounts under their control. This incident reveals a troubling trend where threat […]

The post Attackers Redirected Employee Paychecks Without Breaching a Single System appeared first on Cyber Security News.

Cybersecurity researchers have disclosed details of a security flaw that leverages indirect prompt injection targeting Google Gemini as a way to bypass authorization guardrails and use Google Calendar as a data extraction mechanism. The vulnerability, Miggo Security's Head of Research, Liad Eliyahu, said, made it possible to circumvent Google Calendar's privacy controls by hiding a dormant

The U.K. government is warning of continued malicious activity from Russian-aligned hacktivist groups targeting critical infrastructure and local government organizations in the country in disruptive denial-of-service (DDoS) attacks. [...]

A vulnerability was found in Apache Linkis up to 1.7.0 and classified as problematic. Impacted is the function org.apache.linkis.metadata.util.HiveUtils.decode. Executing a manipulation can lead to sensitive information in log files. This vulnerability is registered as CVE-2025-59355. The attack requires access to the local network. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability was found in Apache Linkis up to 1.7.0. It has been classified as problematic. The affected element is an unknown function of the component JDBC Engine. The manipulation leads to information disclosure. This vulnerability is documented as CVE-2025-29847. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. This vulnerability is documented as CVE-2026-1149. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability, which was classified as critical, was found in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. This vulnerability is reported as CVE-2026-1150. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability has been found in technical-laohu mpay up to 1.2.4 and classified as problematic. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. This vulnerability appears as CVE-2026-1151. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in technical-laohu mpay up to 1.2.4 and classified as critical. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. This vulnerability is traded as CVE-2026-1152. The attack may be launched remotely. Furthermore, there is an exploit available.