#mac

Records of hundreds of emergency calls from ICE detention centers obtained by WIRED—including audio recordings—show a system inundated by life-threatening incidents, delayed treatment, and overcrowding.

As the definition of machine identities broadens, AI agents working on behalf of users and gaining access to various services blurs the lines of non-human identities even more.

### Summary A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). ### Details In `\allure2-main\plugins\xunit-xml-plugin\src\main\java\io\qameta\allure\xunitxml\XunitXmlPlugin.java` the application uses `DocumentBuilderFactory` without disabling DTDs or external entities. By generating a report with a malicious xml file within it, an attacker can perform XXE to leverage SSRF, or to read system files. ### PoC To recreate this vulnerability, you need to install allure for command-line (In my POC I used a Windows 11 Machine). 1. Create a folder called `allure`, and within it, create a malicious XML file. I will attach my SSRF and file reading payloads, however...

Cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.

"Hello pervert" sextortion emails are going through some changes and the price they're demanding has gone up considerably.

As attackers continue to evolve, Microsoft is committed to staying ahead by not only responding to vulnerabilities, but also by anticipating and mitigating entire classes of threats. One such threat, filesystem redirection attacks, has been a persistent vector for privilege escalation. In response, we’ve developed and deployed a new mitigation in Windows 11 called RedirectionGuard.

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon Controllers Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Modicon Controllers M241: Versions prior to 5.3.12.51 Modicon Controllers M251: Versions prior to 5.3.12.51 Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117) Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) 3.2 VULNERABILITY OVERVIEW 3.2.1 ...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.3 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: CNCSoft Vulnerabilities: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Delta Electronics reports the following versions of CNCSoft, a human-machine interface, are affected: CNCSoft: v1.01.34 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process. CVE-2025-47724 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-4...

Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.