3672 matches found
CVE-2026-23327
creationtimestamp| type| source ---|---|--- 2026-04-23 23:26:39+00:00| seen| Telegram/FBfF7HTWtEvNL6KEiWN9WeIckJJ5ZXo9Sxte1kUZosh1zOQ 2026-07-09 01:15:54+00:00| seen| https://www.hkcert.org/security-bulletin/suse-linux-kernel-multiple-vulnerabilities20260702...
CVE-2026-40907
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...
EUVD-2026-24284
WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...
Meta Is Sued Over Scam Ads on Facebook and Instagram
A lawsuit from the Consumer Federation of America accuses Meta of misleading consumers about its efforts to combat scams advertisements on its platforms...
GHSA-GPGP-W4X2-H3H7 WWBN AVideo has an IDOR in Live Restreams list.json.php Exposes Other Users' Stream Keys and OAuth Tokens
Summary The endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream configurations, including third-party platform stream keys and OAut...
North Korea's APT37 Uses Facebook Social Engineering to Deliver RokRAT Malware
The North Korean hacking group tracked as APT37 aka ScarCruft has been attributed to a fresh multi-stage, social engineering campaign in which threat actors approached targets on Facebook and added them as friends on the social media platform, turning the trust-building exercise into a delivery...
A week in security (April 6 – April 12)
Last week on Malwarebytes Labs: Fake Claude site installs malware that gives attackers access to your computer ClickFix finds a new way to infect Macs Scammers pose as Amazon support to steal your account NSFW app leak exposes 70,000 prompts linked to individual users 30,000 private Facebook imag...
GHSA-HP4W-JMWC-PG7W
creationtimestamp| type| source ---|---|--- 2026-04-10 21:24:11+00:00| seen| Telegram/FBFE1jRDxJPr8K8KBUfFYtlwI9wezi1OF7LpQ32tR7vo...
GHSA-3RV7-9FHX-J654
creationtimestamp| type| source ---|---|--- 2026-04-10 21:24:11+00:00| seen| Telegram/FBFE1jRDxJPr8K8KBUfFYtlwI9wezi1OF7LpQ32tR7vo...
GHSA-27X6-C5C7-GPF5
creationtimestamp| type| source ---|---|--- 2026-04-10 21:24:11+00:00| seen| Telegram/FBFE1jRDxJPr8K8KBUfFYtlwI9wezi1OF7LpQ32tR7vo...
GHSA-557G-2W66-GPMF
creationtimestamp| type| source ---|---|--- 2026-04-10 21:24:11+00:00| seen| Telegram/FBFE1jRDxJPr8K8KBUfFYtlwI9wezi1OF7LpQ32tR7vo...
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
30,000 private Facebook images allegedly downloaded by Meta employee
Every tech company tells you your data is safe. They've hopefully got encryption, access controls, and zero-trust architectures—the whole glossy security brochure. And then someone on the inside writes a script to steal your private photos anyway. That's what a former Meta employee based in Londo...
CVE-2026-34721
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4...
CVE-2026-34721
Zammad (web-based helpdesk) has a CSRF vulnerability in the OAuth callback endpoints for external credentials (Microsoft, Google, Facebook). Prior to versions 7.0.1 and 6.5.4, these endpoints do not validate the CSRF state parameter, enabling potential CSRF-like behavior in the OAuth flow. The is...
CVE-2026-34721 Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4...
CVE-2026-34721 Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4...
PT-2026-31418
Name of the Vulnerable Software and Affected Versions Zammad versions prior to 7.0.1 and prior to 6.5.4 Description The OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This could allow an attacker to potentially compromise...
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...