CVE-2026-1008

A stored cross-site scripting XSS vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected...

CVE-2025-68671 lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

lakeFS is an open-source tool that transforms object storage into a Git-like repositories. LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. Prior to 1.75.0, an attacker who captures a valid signed request e.g., through network interception, logs...

CVE-2025-68671

lakeFS - S3 gateway vulnerability: missing timestamp validation in authenticated requests allows replay attacks. Attackers can reuse valid signed requests until credentials rotate; impact is limited to replay of previously captured requests. Affected: lakeFS S3 gateway; root cause is lack of time...

CVE-2026-1008 Stored Cross-Site Scripting in Altium Live User Profile Fields

A stored cross-site scripting XSS vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected...

CVE-2026-1008

A stored cross-site scripting XSS vulnerability exists in the user profile text fields of Altium 365. Insufficient server-side input sanitization allows authenticated users to inject arbitrary HTML and JavaScript payloads using whitespace-based attribute parsing bypass techniques. The injected...

lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

Impact LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. An attacker who captures a valid signed request e.g., through network interception, logs, or compromised systems can replay that request until credentials are rotated, even after the reques...

GHSA-F2PH-GC9M-Q55F lakeFS is Missing Timestamp Validation in S3 Gateway Authentication

Impact LakeFS's S3 gateway does not validate timestamps in authenticated requests, allowing replay attacks. An attacker who captures a valid signed request e.g., through network interception, logs, or compromised systems can replay that request until credentials are rotated, even after the reques...

AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks

A critical misconfiguration in Amazon Web Services AWS CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS JavaScript SDK, putting every AWS environment at risk. The vulnerability has been codenamed CodeBreach by cloud security...

Predicting 2026

Welcome to this week's edition of the Threat Source newsletter. It's become traditional at this time of year to make predictions about cybersecurity for the coming year. Obviously, no one has a crystal ball to predict the future, and if they did, they would be quietly making a fortune rather than...

New CastleLoader Variant Linked to 469 Infections Across Critical Sectors

ANY.RUN report reveals how the new CastleLoader malware targets US government agencies using stealthy ClickFix tricks and memory-based attacks to bypass security...

7 Reasons to Get Certified in API Security

API security is becoming more important by the day and skilled practitioners are in high demand. Now’s the time to level up your API security skillset. Wallarm University, our free training course, provides security analysts, engineers, and practitioners with hands-on skills you can’t get from...

lakeFS security vulnerability

LakeFS is an open-source tool developed by Treeverse. It allows you to convert your object storage into a repository similar to Git. Versions of LakeFS prior to 1.75.0 contained security vulnerabilities. These vulnerabilities stemmed from the S3 gateway not verifying the timestamps in authenticat...

PT-2026-3001

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. affected versions not specified Description The device's passwords have not been adequately salted, making them vulnerable to password extraction attacks. Recommendations At the moment, there is no...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002590)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002590 advisory. Wi-Fi Protected Access WPA and WPA2 allows reinstallation of the Group Temporal Key GTK during the group key handshake, allowing an attacker within radio range to...

Advanced Encryption Technique for Multimedia Data Using Sudoku-Based Algorithms for Enhanced Security

Encryption and Decryption is the process of sending a message in a ciphered way that appears meaningless and could be deciphered using a key for security purposes to avoid data breaches. This paper expands on the previous work on Sudoku-based encryption methods, applying it to other forms of medi...

PT-2026-2827

Name of the Vulnerable Software and Affected Versions WordPress List Site Contributors plugin versions up to and including 1.1.8 Description The List Site Contributors plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to inadequate input sanitization and output...

MiracleLinux 3 : ruby-1.8.5-19.1.0.1.AXS3 (AXSA:2011-226:01)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2011-226:01 advisory. Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do syste...

A Novel Contrastive Loss for Zero-Day Network Intrusion Detection

Machine learning has achieved state-of-the-art results in network intrusion detection; however, its performance significantly degrades when confronted by a new attack class -- a zero-day attack. In simple terms, classical machine learning-based approaches are adept at identifying attack classes o...

CVE-2025-69271

Insufficiently Protected Credentials vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 24.3.13 and earlier...

CVE-2025-69272

Cleartext Transmission of Sensitive Information vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Sniffing Attacks.This issue affects DX NetOps Spectrum: 21.2.1 and earlier...