#auth

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

## Impact Using the `/locales/locale.json` with the `locale` and `namespace` query parameters, a malicious actor is able to execute arbitrary code, without being authenticated. With the ability to execute arbitrary code, this vulnerability can be exploited in an infinite number of ways. It could be used to gain access to the Panel's server, read credentials from the Panel's config (`.env` or otherwise), extract sensitive information from the database (such as user details [username, email, first and last name, hashed password, ip addresses, etc]), access files of servers managed by the panel, etc. ## Patches This vulnerability was patched by https://github.com/pterodactyl/panel/commit/24c82b0e335fb5d7a844226b08abf9f176e592f0 and was released under the [`v1.11.11`](https://github.com/pterodactyl/panel/releases/tag/v1.11.11) tag without any other code modifications compared to `v1.11.10`. For those who need to patch their installations in-place or apply it on top of other code modi...

Banana Squad hid data-stealing malware in fake GitHub repos posing as Python tools, tricking users and targeting sensitive info like browser and wallet data.

Cybercriminals are injecting fake support phone numbers onto official sites like Bank of America and Netflix. Learn how 'search parameter injection' scams work and protect yourself now.

Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

# Summary Unauthorized users can perform Arbitrary File Read and Deserialization attack by submit job using restful api-v1. # Details Unauthorized users can access `/hazelcast/rest/maps/submit-job` to submit job. An attacker can set extra params in mysql url to perform Arbitrary File Read and Deserialization attack. This issue affects Apache SeaTunnel: <=2.3.10 # Fixed Users are recommended to upgrade to version 2.3.11, and enable restful api-v2 & open https two-way authentication , which fixes the issue.

Cybersecurity researchers have uncovered two local privilege escalation (LPE) flaws that could be exploited to gain root privileges on machines running major Linux distributions. The vulnerabilities, discovered by Qualys, are listed below - CVE-2025-6018 - LPE from unprivileged to allow_active in SUSE 15's Pluggable Authentication Modules (PAM) CVE-2025-6019 - LPE from allow_active to root in

In this edition, Thor shares how a week off with a new car turned into a crash course in modern vehicle tech. Surprisingly, it offers many parallels to cybersecurity usability.

### Critical Security Advisory for Taylored npm package v7.0.7 - tag 7.0.5 #### Summary A series of moderate to high-severity security vulnerabilities have been identified specifically in version **7.0.7 of \`taylored\`**. These vulnerabilities reside in the "Backend-in-a-Box" template distributed with this version. They could allow a malicious actor to read arbitrary files from the server, download paid patches without completing a valid purchase, and weaken the protection of encrypted patches. **All users who have installed or generated a \`taysell-server\` using version 7.0.7 of \`taylored\` are strongly advised to immediately upgrade to version 7.0.8 (or later) and follow the required mitigation steps outlined below.** Versions prior to 7.0.7 did not include the Taysell functionality and are therefore not affected by these specific issues. #### Vulnerabilities Patched in v7.0.8 Version 7.0.8 addresses the following issues found in the v7.0.7 template: 1. **Path Traversal in ...

A CVSS 8.8 AgentSmith flaw in LangSmith's Prompt Hub exposed AI agents to data theft and LLM manipulation. Learn how malicious AI agents could steal API keys and hijack LLM responses. Fix deployed.