Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Aussie Fintech Vroom Exposes Thousands of Records After AWS Misconfiguration

Cybersecurity researcher Jeremiah Fowler discovered a data exposure at Australian fintech Vroom by YouX, exposing 27,000 records, including driver's licenses, bank statements, and more.

HackRead
Open in Source
#vulnerability#web#amazon#backdoor#perl#aws#auth#mongo
150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu

Internet Archive (Archive.org) Goes Down Following “Power Outage”

The Internet Archive (Archive.org), home to the Wayback Machine, is temporarily offline due to a reported power outage.…

Security expert Troy Hunt hit by phishing attack

Tory Hunt, security expert and Have I Been Pwned owner, disclosed a phishing attack against him in a commendable display of transparency.

GHSA-9cc5-2pq7-hfj8: xmas-elf potential out-of-bounds read with a malformed ELF file and the HashTable API.

Affected versions of this crate only validated the `index` argument of `HashTable::get_bucket` and `HashTable::get_chain` against the input-controlled `bucket_count` and `chain_count` fields, but not against the size of the ELF section. As a result, a malformed ELF file could trigger out-of-bounds reads in a consumer of the HashTable API by setting these fields to inappropriately large values that would fall outside the relevant hash table section, and by introducing correspondingly out-of-bounds hash table indexes elsewhere in the ELF file.

GHSA-fm3h-p9wm-h74h: Directus's webhook trigger flows can leak sensitive data

### Describe the Bug In Directus, when a **Flow** with the "_Webhook_" trigger and the "_Data of Last Operation_" response body encounters a ValidationError thrown by a failed condition operation, the API response includes sensitive data. This includes environmental variables, sensitive API keys, user accountability information, and operational data. This issue poses a significant security risk, as any unintended exposure of this data could lead to potential misuse. ![Image](https://github.com/user-attachments/assets/fb894347-cd10-4e79-9469-8fc1b2289794) ![Image](https://github.com/user-attachments/assets/a20337a2-005f-4cfd-ba30-fc5f579ed6c4) ![Image](https://github.com/user-attachments/assets/9b776248-4a20-46f0-92a4-3760d8e53df9) ### To Reproduce **Steps to Reproduce:** 1. Create a Flow in Directus with: - Trigger: Webhook - Response Body: Data of Last Operation 2. Add a condition that is likely to fail. 3. Trigger the Flow with any input data that will fail the condition...

Penetration Testing Services: Strengthening Cybersecurity Against Evolving Threats

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. Security breaches and data…

SignalGate Isn’t About Signal

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

GHSA-6phg-4wmq-h5h3: Frappe has possibility of SQL injection due to improper validations

### Impact SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. ### Workarounds Upgrading is required, no other workaround is present.

Next.js Middleware Flaw Lets Attackers Bypass Authorization

Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.