CVE-2025-11438

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and...

CVE-2025-11438

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and...

CVE-2025-11438

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and...

CVE-2025-11438

Summary of CVE-2025-11438 (JhumanJ OpnForm) : Affects OpnForm up to 1.9.3. The vulnerability is a missing authorization check in the API endpoint component, specifically in the /custom-domains file/endpoint, allowing unauthorized manipulation of custom-domain settings. Exploitation is possible re...

CVE-2025-11438 JhumanJ OpnForm API Endpoint custom-domains authorization

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and...

CVE-2025-11438 JhumanJ OpnForm API Endpoint custom-domains authorization

A vulnerability has been found in JhumanJ OpnForm up to 1.9.3. This vulnerability affects unknown code of the file /custom-domains of the component API Endpoint. Such manipulation leads to missing authorization. The attack may be launched remotely. The exploit has been disclosed to the public and...

PT-2025-41233

Name of the Vulnerable Software and Affected Versions JhumanJ OpnForm versions up to 1.9.3 Description A missing authorization check exists in the API endpoint responsible for managing custom domains, located at /custom-domains. This allows for unauthorized manipulation of custom domain settings...

EUVD-2017-6516

Malware in sbrugna...

BucketLoot - An Automated S3-compatible Bucket Inspector

BucketLoot is an automated S3-compatible Bucket inspector that can help users extract assets, flag secret exposures and even search for custom keywords as well as Regular Expressions from publicly-exposed storage buckets by scanning files that store data in plain-text. The tool can scan for bucke...

Cloudflare Public Bug Bounty: Take over subdomains of r2.dev using R2 custom domains

███████ ████ ████ ███████████████████████████ ███ ██████████ It is possible to take over any subdomain of r2.dev possible also the base domain and have it serve the contents of an R2 bucket in your account. Requirements Access to R2 public buckets in the dashboard is currently behind a flag. The...

GO-2022-0189 Remote command execution via "go get" with "-u" flag in cmd/go

The "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode the distinction is documented a...

"Zero-Days" Without Incident - Compromising Angular via Expired npm Publisher Email Domains

NOTE: If you’re just looking for the high level points, see the “The TL;DR Summary & High-Level Points” section of this post. Recently I took an interest in the npm registry due to it’s critical role in the security of managing packages for all of JavaScript and Node. After registering an account...

Lil’ skimmer, the Magecart impersonator

This blog post was authored by Jérôme Segura A very common practice among criminals consists of mimicking legitimate infrastructure when registering new domain names. This is very true for Magecart threat actors who love to impersonate Google, jQuery and many other popular brands. In this post we...

U.S. Dept Of Defense: Subdomain takeover of ███

Summary: The subdomain ██████ had an CNAME record pointing to an unclaimed ███████ webservice. This is a high severity security issue because an attacker can register the subdomain on ███ and therefore can own the subdomain █████████. Description: The dangling CNAME record of █████████ is pointin...

Remote Code Execution (RCE)

github.com/golang/go is vulnerable to remote code execution RCE. If custom domains are used, a malicious user can set a domain example.com/proj1 to point to a subversion repository and another domain example.com/proj1/proj2 to point to a git repository. When the go get command is run, arbitrary...

Most LokiBot samples in the wild are "hijacked" versions of the original malware

Hacker himself got hacked. It turns out that most samples of the LokiBot malware being distributed in the wild are modified versions of the original sample, a security researcher has learned. Targeting users since 2015, LokiBot is a password and cryptocoin-wallet stealer that can harvest...

Remote Code Execution (RCE)

github.com/golang/go is vulnerable to remote code execution RCE. If custom domains are used, a malicious user can set a domain example.com/proj1 to point to a subversion repository and another domain example.com/proj1/proj2 to point to a git repository. When the go get command is run, arbitrary...

CVE-2017-15041

Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command execution. Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git...

WordPress enables Free HTTPS Encryption for all Blogs with Custom Domain

Do you own a custom domain or a blog under the wordpress.com domain name? If yes, then there is good news for you. WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure. WordPress – free, open source and the most popular a content...