Internet-Scale Measurement of React2Shell Exploitation Using an Active Network Telescope

The increasing adoption of server-side component-based web frameworks has introduced new application-layer attack surfaces that remain insufficiently understood at Internet scale. On 3 December 2025, a critical remote code execution vulnerability CVE-2025-55182 in React Server Components, referre...

On the Possible Detectability of Image-In-Image Steganography

This paper investigates the detectability of popular imagein-image steganography schemes 1, 2, 3, 4, 5. In this paradigm, the payload is usually an image of the same size as the Cover image, leading to very high embedding rates. We first show that the embedding yields a mixing process that is...

SUSE CVE-2025-11143

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently fr...

CVE-2026-26127

A flaw was found in .NET. An unauthorized attacker can exploit an out-of-bounds read vulnerability over a network, leading to a Denial of Service DoS. This can prevent legitimate users from accessing the affected service. Mitigation To mitigate this issue, restrict network access to applications...

Server-side Request Forgery (SSRF)

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HTTP Node as it is used in AgentFlow and Chatflow. An attacker can access internal network resources, retrieve sensitive information, or modify and...

Cross-site Scripting (XSS)

Overview sylius/sylius is a platform for PHP, based on Symfony framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of entity names within various frontend and admin panel components, such as breadcrumbs, taxon pickers, and autocomplete fields,...

Sylius affected by IDOR in Cart and Checkout LiveComponents

Impact An authenticated Insecure Direct Object Reference IDOR vulnerability exists in multiple shop LiveComponents due to unvalidated resource IDs accepted via LiveArg parameters. Unlike props, which are protected by LiveComponent's @checksum, args are fully user-controlled - any action that...

EUVD-2026-10913

Sylius affected by IDOR in Cart and Checkout LiveComponents...

CVE-2026-31833 Umbraco has Stored XSS in UFM Rendering Pipeline via Permissive DOMPurify Attribute Filtering

Umbraco is an ASP.NET CMS. From 16.2.0 to before 16.5.1 and 17.2.2, An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. Due to an overly permissive attributeNameCheck configuration /.+/ in the UFM DOMPurify instance, event handler...

CVE-2026-31820

Sylius (Open Source eCommerce on Symfony) contains an authenticated insecure direct object reference (IDOR) in multiple LiveComponents. The vulnerability stems from unvalidated resource IDs accepted via #[LiveArg] parameters, where loading with ->find() occurs without ownership checks. Affecte...

Security Bulletin: IBM Maximo Application Suite uses os/exec 1.24.3; 1.24.4, ansible-9.4.0, github.com/eclipse/paho.mqtt.golang v1.3.5 and archive/tar 1.24.2; 1.24.4 which is vulnerable to CVE-2025-47906,CVE-2025-14010,CVE-2025-10543 and CVE-2025-58183

Summary IBM Maximo Application Suite uses os/exec 1.24.3; 1.24.4, ansible-9.4.0, github.com/eclipse/paho.mqtt.golang v1.3.5 and archive/tar 1.24.2; 1.24.4 which is vulnerable to CVE-2025-47906,CVE-2025-14010,CVE-2025-10543 and CVE-2025-58183. This bulletin contains information regarding the...

PT-2026-24474

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 Description Sylius, an Open Source eCommerce Framework on Symfony, contains an authenticated Insecure Direct Object Reference IDOR issue in several...

PT-2026-24486

Name of the Vulnerable Software and Affected Versions Umbraco versions 16.2.0 through 16.5.0 Umbraco version 17.2.2 Description Umbraco is an ASP.NET CMS. An authenticated backoffice user with access to Settings can inject malicious HTML into property type descriptions. The issue stems from an...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 9.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available...

firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component...

firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component...

@aiswarm/api-graphql (>=0.1.0 <=0.1.9), @aiswarm/conductor (>=0.1.1 <=0.1.9) +55 more potentially affected by CVE-2026-30241 via mercurius (>=10.5.1 <=16.1.0)

mercurius NPM version =10.5.1, =0.1.0, =0.1.1, =0.1.1, =0.1.2, =0.3.0, =0.3.0, =1.0.0, =1.0.16, =0.0.3, =0.1.0, =0.1.0, =2.37.0, =2.64.0 and more Source cves: CVE-2026-30241 Source advisory: OSV:GHSA-M4H2-MJFM-MP55...

Malicious Package

Overview galaktika-components is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview ui-common-components-angular is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview ui-forms-embed-components-reporting is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...