105 matches found
CVE-2025-59331 [email protected] contains malware after npm account takeover
is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayish was taken over after a phishing attack. Version 0.3.3 was published, functionally identical to the previous patch version, but with a malware payload added attempting to...
CVE-2025-40725
Reflected Cross-Site Scripting XSS vulnerability in Azon Dominator. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the “q” parameter in /search via GET. This vulnerability can be exploited to steal sensitive user data...
CVE-2025-54800
Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-par...
CVE-2025-45315
A cross-site scripting XSS vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter...
PT-2025-32422 · Workos · Authkit
Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-remix versions 0.14.1 and below Description: The AuthKit library for Remix exposed sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to...
Client-Side Zero-Shot LLM Inference for Comprehensive In-Browser URL Analysis
Malicious websites and phishing URLs pose an ever-increasing cybersecurity risk, with phishing attacks growing by 40% in a single year. Traditional detection approaches rely on machine learning classifiers or rule-based scanners operating in the cloud, but these face significant challenges in...
CVE-2023-22654
Client-side enforcement of server-side security issue exists in T Corporation and ESPEC MIC CORP. data logger products, which may lead to an arbitrary script execution on a logged-in user's web browser. Affected products and versions are as follows: T Corporation data logger products TR-71W/72W a...
Dynamic Graph-Based Fingerprinting of In-Browser Cryptomining
The decentralized and unregulated nature of cryptocurrencies, combined with their monetary value, has made them a vehicle for various illicit activities. One such activity is cryptojacking, an attack that uses stolen computing resources to mine cryptocurrencies without consent for profit...
CVE-2024-26313
Archer Platform 6.x before 6.14 P2 HF2 6.14.0.2.2 contains a stored cross-site scripting XSS vulnerability. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in a trusted application data store. When victim users access the data...
JQuery Cross-Site Scripting (XSS) Vulnerability
JQuery contains a persistent cross-site scripting XSS vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser...
GHSA-CC65-XXVF-F7R9 Scrapy vulnerable to ReDoS via XMLFeedSpider
Impact The following parts of the Scrapy API were found to be vulnerable to a ReDoS attack: - The XMLFeedSpider class or any subclass that uses the default node iterator: iternodes, as well as direct uses of the scrapy.utils.iterators.xmliter function. - Scrapy 2.6.0 to 2.11.0: The openinbrowser...
Alfasado PowerCMS Security Vulnerability
Alfasado PowerCMS is a content management system CMS from Alfasado Japan. A security vulnerability exists in Alfasado PowerCMS, which originates from a stored cross-site scripting XSS vulnerability. The vulnerability can be exploited by an attacker to execute arbitrary script in a logged-in user'...
CVE-2023-6217
In Progress MOVEit Transfer versions released before 2022.0.9 14.0.9, 2022.1.10 14.1.10, 2023.0.7 15.0.7, a reflected cross-site scripting XSS vulnerability has been identified when MOVEit Gateway is used in conjunction with MOVEit Transfer. An attacker could craft a malicious payload targeting...
A.K.I Software PMailServer Security Vulnerability
A.K.I Software PMailServer is an email server from A.K.I Software, Japan. A security vulnerability exists in A.K.I Software PMailServer and PMailServer2, which stems from a stored cross-site scripting vulnerability that can be exploited by an attacker to execute arbitrary script on a logged-in...
Don't Click That ZIP File! Phishers Weaponizing .ZIP Domains to Trick Victims
A new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain. "With this phishing attack, you simulate a file archiver software e.g., WinRAR in the browser and use a .zip domain to make it...
CVE-2023-22654
Client-side enforcement of server-side security issue exists in T&D Corporation and ESPEC MIC CORP. data logger products, which may lead to an arbitrary script execution on a logged-in user's web browser. Affected products and versions are as follows: T&D Corporation data logger products TR-71W/7...
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN
Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter...
[The Lost Bots] S02E03: Browser-in-Browser Attacks — Don't Get (Cat)-Phished
!\The Lost Bots\ S02E03: Browser-in-Browser Attacks — Don't Get \Cat-Phishedhttps://blog.rapid7.com/content/images/2022/08/The-Lost-Bots-logo-large.png Welcome back to The Lost Bots! In our latest episode, we're talking about phishing attacks — but not your standard run-of-the-mill version...
PT-2022-14566 · Google · Android
Name of the Vulnerable Software and Affected Versions: Android versions Android-13 Description: The issue concerns a missing permission check in the SELinux policy, which could allow local information disclosure about the websites being opened in the browser. This can be exploited without...
CVE-2021-34083
Google-it is a Node.js package which allows its users to send search queries to Google and receive the results in a JSON format. When using the 'Open in browser' option in versions up to 1.6.2, google-it will unsafely concat the result's link retrieved from google to a shell command, potentially...