Latest News

Find out where and how victims can report online scams to prevent more victims and possibly recover funds.

Have you been scammed online? Here are some tips to limit the damage and follow up steps you may find useful

CardinalOps' report shows that organizations are struggling to keep up with the evolution of the latest threats while a significant number of detection rules remain non-functional.

Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api.

### Summary In the HAX site editor, users can create a website block to load another site in an iframe. The application allows users to supply a target URL in the website block. When the HAX site is visited, the client's browser will query the supplied URL. ### Affected Resources - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) - `https://<site>/<user>/system/api/saveNode` ### PoC 1. Set the URL in an iframe pointing to an attacker-controlled server running Responder  2. Once another user visits the site, they are prompted to sign in.  3. If a user inputs credentials, the username and password hash are outputted in Responder.  ### Impact An au...

### Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. ### Workarounds For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on your Requests Session ([docs](https://requests.readthedocs.io/en/latest/api/#requests.Session.trust_env)). ### References https://github.com/psf/requests/pull/6965 https://seclists.org/fulldisclosure/2025/Jun/2

### Summary An authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). ### Details The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS like in[ HAXCMSSite.php line 1248](https://github.com/haxtheweb/haxcms-php/blob/b158d8ba1f9602af92ab084fd03b418f953079fd/system/backend/php/lib/HAXCMSSite.php#L1248) to resolve and load the content for a given node. I...

### Summary The application does not sufficiently sanitize user input, allowing for the execution of arbitrary JavaScript code. The 'saveNode' and 'saveManifest' endpoints take user input and store it in the JSON schema for the site. This content is then rendered in the generated HAX site. Although the application does not allow users to supply a 'script' tag, it does allow the use of other HTML tags to run JavaScript. ### Affected Resources - [Operations.php:258](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L258) `saveManifest()` - [Operations.php:868](https://github.com/haxtheweb/haxcms-php/blob/master/system/backend/php/lib/Operations.php#L868) `saveNode()` - `https://<site>/<user>/system/api/saveNode` - `https://<site>/<user>/system/api/saveManifest` ### Impact An authenticated attacker can use the site editor and settings editor to store malicious payloads in a HAX site which execute arbitrary JavaScript when a user visits the sit...

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses…

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and…