OmniFaces: EL injection via crafted resource name in wildcard CDN mapping

Impact Server-side EL injection leading to Remote Code Execution RCE. Affects applications that use CDNResourceHandler with a wildcard CDN mapping e.g. libraryName:=https://cdn.example.com/. An attacker can craft a resource request URL containing an EL expression in the resource name, which is...

Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18516 Workarounds The CDN add-on is not enabled by default. References Thanks to @spbavarva for reporting this responsibly via GitHub...

CVE-2026-33220

Summary: CVE-2026-33220 affects Weblate; prior to version 5.17 the translation memory API exposed unintended endpoints, which did not enforce proper access control. Affected software: Weblate (web-based localization tool); vulnerable when using the translation memory API with the CDN add-on enabl...

Media Player MP-01 vulnerable to Missing Authentication for Critical Function

Overview NEC branded Media Player MP-01 manufactured by Sharp Display Solutions, Ltd. contains the following vulnerability. Missing Authentication for Critical Function CWE-306 - CVE-2025-12049 Souvik Kandar of MicroSec microsec.io discovered and reported the vulnerability to the developer and...

CVE-2025-12049

Missing Authentication for Critical Function vulnerability in Sharp Display Solutions Media Player MP-01 All Verisons allows a attacker may access to the web interface of the affected product without authentication and change settings or perform other operations, and deliver content from the...

CVE-2025-54425

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...

CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...

CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...

CVE-2025-54425 Umbraco's Delivery API allows for cached requests to be returned with an invalid API key

Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such...

PT-2025-31370 · Umbraco · Umbraco

Name of the Vulnerable Software and Affected Versions: Umbraco versions 13.0.0 through 13.9.2 Umbraco versions 15.0.0 through 15.4.1 Umbraco versions 16.0.0 through 16.1.0 Description: Umbraco’s content delivery API can be restricted to require an API key in a header for authorization. Output...

GHSA-HQ75-XG7R-RX6C Better Call routing bug can lead to Cache Deception

Summary Using a CDN that caches //.png, //.json, //.css, etc... requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users. Details The vulnerability occurs in the request processing logic where...

AFP News Agency’s Content Delivery Systems Hit by Cyberattack

AFP news agency suffers a cyberattack disrupting its content delivery systems. News coverage continues as experts investigate, with…...

(Pwn2Own) Adobe Acrobat Reader DC Net.HTTP.request URL Restriction Bypass Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the...

Moderate: Red Hat Security Advisory: RHUI 4.4.0 release - Security Fixes, Bug Fixes, and Enhancements Update

An updated version of Red Hat Update Infrastructure RHUI is now available. RHUI 4.4 fixes several security and operational bugs, and introduces multiple new features. Red Hat Update Infrastructure RHUI offers a highly scalable, highly redundant framework that enables you to manage repositories an...

Akamai Cloud: The World’s Most Distributed Cloud Platform

Introducing Akamai Connected Cloud, the massively distributed edge and cloud platform for cloud computing, security, and content delivery...

(Pwn2Own) Microsoft Teams URL Allowlist Bypass Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Teams. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the enforcement of...

[SECURITY] Fedora 36 Update: docker-distribution-2.6.2-18.git48294d9.fc36

Docker toolset to pack, ship, store, and deliver content...

Internet Resilience, Part 2: What It Takes to “Just Work”

One of the greatest signs of the success of the internet as a technology is how little the average person thinks about it. I’m not talking about the content itself. The streaming videos, online shopping sites, news and educational content, workplace productivity tools, and many other pieces of...

The Edge is Becoming More Critical in a World of 5G and IoT

The edge is becoming more critical in a world of 5G and IoT. I've seen the evolution from 1x to 3G to 4G and now 5G over the many years I've worked in the mobile space, and 5G and IoT will drive the biggest changes we have seen on the edge in 10 or 20 years. This discussion is happening in the...

Smart DNS for the New Network: Optimizing Content Delivery

The presence of public "over the top" DNS resolution alternatives is a strong motivator for ISPs to invest in making their DNS resolution infrastructure the best that it can be. Resolvers are the glue that binds subscribers to their fixed and mobile broadband services. Operators of public DNS...