Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007

This module enables you to render error pages using the Ignition package. The module disables certain Drupal core code and does not perform sufficient filtering, allowing HTML to be injected in certain situations leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated...

Moderate: java-21-openjdk security update for AlmaLinux 8.10, 9.4 and 9.5

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the OpenJDK 21 Java Software Development Kit. Security Fixes: JDK: Enhance array handling CVE-2025-21502 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related...

Websites were able to send any requests to the development server and read the response in vite

Summary Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. !WARNING This vulnerability even applies to users that only run the Vite dev server on the loc...

Malicious code in cscchokidar-next (npm)

This package has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5ed003ec0e4484b9001cedb74c37ef8fbac98945977b5b3a217052346a2f55c1 Any computer that has this package installed or running should be...

MAL-2025-610 Malicious code in cscchokidar-next (npm)

This package has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5ed003ec0e4484b9001cedb74c37ef8fbac98945977b5b3a217052346a2f55c1 Any computer that has this package installed or running should be...

Malicious code in cschalk-next (npm)

This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 91aaf0d72370eff4321359a559af7a578a16bb5aeefeedd6ec52ae25b8297a21 Any...

Malicious code in achalk-next (npm)

This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b543eb1092108748ab3abd00741f5f1d0b181f326ba147792f883aed8d837697 Any...

Malicious code in csbchalk-next (npm)

This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 78554f43864fdbcb9a2eb97137b68f629a45a1ea6a1af377fd194376be14c911 Any...

Malicious code in cschalk (npm)

This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6bc84195226616b9037825439862309922afde77ccd32cc2c6158025030d27b2 Any...

API Security’s Role in Responsible AI Deployment

By now, you will almost certainly be aware of the transformative impact artificial intelligence AI technologies are having on the world. What you may not be aware of, however, is the role Application Programming Interfaces APIs are playing in the AI revolution. The bottom line is that APIs are...

CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...

CVE-2025-24010 Vite allows any websites to send any requests to the development server and read the response

Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and...

Biden Signs New Cybersecurity Order

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks...

Vite 安全漏洞

Vite is a new front-end builder tool open-sourced by Vite. A security vulnerability exists in Vite that stems from default CORS settings and a lack of validation of the Origin header of a WebSocket connection, which allows any website to send any request to the development server and read the...

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development tools is related to buffer overflows in dynamic memory, allowing an attacker to execute arbitrary code.

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development environment is related to buffer overflows in dynamic memory. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...

AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider

Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.tsL34...

CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

CVE-2025-23206

The CVE-2025-23206 issue affects AWS CDK (IAM OIDC custom resource workflow). The tls.connect call sets rejectUnauthorized: false, enabling potential MITM risk when downloading CA thumbprints. A patch is in progress; remediation guidance in the connected docs recommends upgrading to CDK v2.177.0 ...

Microsoft Visual Studio Elevation of Privilege Vulnerability

Microsoft Visual Studio is a family of development tool suites from Microsoft, and a largely complete set of development tools that includes most of the tools needed throughout the software lifecycle. A security vulnerability exists in Microsoft Visual Studio. An attacker can exploit the...