vulnerability
CISA extends funding to ensure 'no lapse in critical CVE services'
https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensure-no-lapse-in-critical-cve-services/
CISA says the U.S. government has extended MITRE's funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program.
Added 1 month ago
CVE Foundation
https://www.thecvefoundation.org/home
The Common Vulnerabilities and Exposures (CVE) Program has become the cornerstone of vulnerability management. Nearly all technology vendors and service providers identify vulnerabilities with CVEs when they publish security advisories. Most security products and services related to vulnerabilities
Added 1 month ago
CVE program faces swift end after DHS fails to renew contract. Leaving security flaw tracking in limbo
https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html
After DHS did not renew its funding contract for reasons unspecified, MITRE’s 25-year-old Common Vulnerabilities and Exposures (CVE) program was slated for an abrupt shutdown on April 16, which would have left security flaw tracking in limbo. CISA stepped in to provide a bridge.
Added 1 month ago
AI-hallucinated code dependencies become new supply chain risk
https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names.
Added 1 month ago
Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Added 1 month ago
Harden-Runner detection: tj-actions/changed-files action is compromised - StepSecurity
https://search.app/nz29ggeNi26oEF8q9
Added 1 month ago
Sign in as anyone: Bypassing SAML SSO authentication with parser differentials - The GitHub Blog
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
Critical authentication bypass vulnerabilities were discovered in ruby-saml up to version 1.17.0. See how they were uncovered.
Added 1 month ago
Paul Butler – Smuggling arbitrary data through an emoji
https://paulbutler.org/2025/smuggling-arbitrary-data-through-an-emoji/
Added 1 month ago
DeepSeek Jailbreak Reveals Its Entire System Prompt
https://www.darkreading.com/application-security/deepseek-jailbreak-system-prompt
Added 1 month ago
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Secu
https://flatt.tech/research/posts/compromising-openwrt-supply-chain-sha256-collision/
Introduction
Hello, I’m RyotaK (@ryotkak
), a security engineer at Flatt Security Inc.
A few days ago, I was upgrading my home lab network, and I decided to upgrade the OpenWrt
on my router.1 After accessing the LuCI, which is the web interface of OpenWrt, I noticed that there is a section called Attended Sysupgrade, so I tried to upgrade the firmware using it.
After reading the description, I found that it states it builds new firmware using an online service.
Added 1 month ago
Google Claims World First As AI Finds 0-Day Security Vulnerability
https://www.forbes.com/sites/daveywinder/2024/11/04/google-claims-world-first-as-ai-finds-0-day-security-vulnerability/
Google’s Project Zero hackers and DeepMind boffins have collaborated to uncover a zero-day security vulnerability in real-world code for the first time using AI.
Added 1 month ago
OpenSSF Adds Minder as a Sandbox Project to Simplify the Integration and Use of Open Source Security
https://openssf.org/blog/2024/10/28/openssf-adds-minder-as-a-sandbox-project-to-simplify-the-integration-and-use-of-open-source-security-tools/
Added 1 month ago
Critical doomsday Linux bug is CUPS-based vulnerability • The Register
https://www.theregister.com/2024/09/26/unauthenticated_rce_bug_linux/
No patches yet, can be mitigated, requires user interaction
Added 1 month ago
Critical Unauthenticated RCE Flaw Impacts all GNU/Linux systems
https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/
Critical Unauthenticated RCE Flaw, no Common CVE identifiers have been assigned yet, although experts suggest there should be at least three to six.
Added 1 month ago
We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/
Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.
Summary
What started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel rooms - has now seemingly become a
Added 1 month ago
EUCLEAK - NinjaLab
https://ninjalab.io/eucleak/
Download the Writeup Illustration Romain Flamand – Flamingo Studio – [email protected] Abstract Secure elements are small microcontrollers whose main purpose is to generate/store secrets and then execute cryptographic operations. They undergo the highest level of security evaluations that exists (Common Criteria) and are often considered inviolable, even in the worst-case attack scenarios. Hence, complex secure […]
Added 1 month ago
Bypassing airport security via SQL injection
https://ian.sh/tsa
We discovered a serious vulnerability in the Known Crewmember (KCM) and Cockpit Access Security System (CASS) programs used by the Transportation Security Administration.
Added 1 month ago
Nuclei: Open-source vulnerability scanner - Help Net Security
https://www.helpnetsecurity.com/2024/08/26/nuclei-open-source-vulnerability-scanner/
Nuclei is a fast and customizable open-source vulnerability scanner powered by YAML-based templates. With its flexible templating system, Nuclei can be
Added 1 month ago
OpenSSH Backdoors
https://blog.isosceles.com/openssh-backdoors/
Imagine this: an OpenSSH backdoor is discovered, maintainers rush to push out a fixed release package, security researchers trade technical details on mailing lists to analyze the backdoor code. Speculation abounds on the attribution and motives of the attacker, and the tech media pounces on the story. A near miss
Added 1 month ago
Open Source Firewall pfsense Vulnerable to Remote Code Execution Attacks
https://cybersecuritynews.com/open-source-firewall-pfsense-vulnerable/
A vulnerability in the popular open-source firewall software pfSense has been identified, allowing for remote code execution (RCE) attacks.
Added 1 month ago
New Flaws in Sonos Smart Speakers Allow Hackers to Eavesdrop on Users
https://thehackernews.com/2024/08/new-flaws-in-sonos-smart-speakers-allow.html?m=1
Added 1 month ago
Critical AWS Vulnerabilities Allow S3 Attack Bonanza
https://www.darkreading.com/remote-workforce/critical-aws-vulnerabilities-allow-s3-attack-bonanza
Added 1 month ago
https://www.scmagazine.com/news/critical-vulnerabilities-in-6-aws-services-disclosed-at-black-hat-usa
https://www.scmagazine.com/news/critical-vulnerabilities-in-6-aws-services-disclosed-at-black-hat-usa
Added 1 month ago