PT-2026-39697

Name of the Vulnerable Software and Affected Versions go-git versions prior to v5 Description go-git may parse malformed Git objects differently than upstream Git. When commit or tag objects contain ambiguous or malformed headers, the decoded representation in go-git may expose values that differ...

JLSEC-2025-325 A flaw was found in rsync

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare wi...

Password Strength Analysis through Social Network Data Exposure: A Combined Approach Relying on Data Reconstruction and Generative Models

Although passwords remain the primary defense against unauthorized access, users often tend to use passwords that are easy to remember. This behavior significantly increases security risks, also due to the fact that traditional password strength evaluation methods are often inadequate. In this...

Floragunn Search Guard FLX 安全漏洞

Floragunn Search Guard FLX is a security component for protecting Elastic Search from Floragunn, Germany. A security vulnerability exists in Floragunn Search Guard FLX 3.1.1 and earlier versions, which stems from an improperly implemented field mask rule for IP type fields, which could result in...

EUVD-2024-50582

Malicious code in bioql PyPI...

Per-Element Secure Aggregation against Data Reconstruction Attacks in Federated Learning

Federated learning FL enables collaborative model training without sharing raw data, but individual model updates may still leak sensitive information. Secure aggregation SecAgg mitigates this risk by allowing the server to access only the sum of client updates, thereby concealing individual...

Unifying Re-Identification, Attribute Inference, and Data Reconstruction Risks in Differential Privacy

Differentially private DP mechanisms are difficult to interpret and calibrate because existing methods for mapping standard privacy parameters to concrete privacy risks -- re-identification, attribute inference, and data reconstruction -- are both overly pessimistic and inconsistent. In this work...

Byzantine Outside, Curious Inside: Reconstructing Data through Malicious Updates

Federated learning FL enables decentralized machine learning without sharing raw data, allowing multiple clients to collaboratively learn a global model. However, studies reveal that privacy leakage is possible under commonly adopted FL protocols. In particular, a server with access to client...

Boosting Gradient Leakage Attacks: Data Reconstruction in Realistic FL Settings

Federated learning FL enables collaborative model training among multiple clients without the need to expose raw data. Its ability to safeguard privacy, at the heart of FL, has recently been a hot-button debate topic. To elaborate, several studies have introduced a type of attacks known as gradie...

SoK: Data Reconstruction Attacks against Machine Learning Models: Definition, Metrics, and Benchmark

Data reconstruction attacks, which aim to recover the training dataset of a target model with limited access, have gained increasing attention in recent years. However, there is currently no consensus on a formal definition of data reconstruction attacks or appropriate evaluation metrics for...

Gradient Inversion Attacks on Parameter-Efficient Fine-Tuning

Federated learning FL allows multiple data-owners to collaboratively train machine learning models by exchanging local gradients, while keeping their private data on-device. To simultaneously enhance privacy and training efficiency, recently parameter-efficient fine-tuning PEFT of large-scale...

Bayesian Perspective on Memorization and Reconstruction

We introduce a new Bayesian perspective on the concept of data reconstruction, and leverage this viewpoint to propose a new security definition that, in certain settings, provably prevents reconstruction attacks. We use our paradigm to shed new light on one of the most notorious attacks in the...

Covert Attacks on Machine Learning Training in Passively Secure MPC

Secure multiparty computation MPC allows data owners to train machine learning models on combined data while keeping the underlying training data private. The MPC threat model either considers an adversary who passively corrupts some parties without affecting their overall behavior, or an adversa...

Vulnerability of Transfer-Learned Neural Networks to Data Reconstruction Attacks in Small-Data Regime

Training data reconstruction attacks enable adversaries to recover portions of a released model's training data. We consider the attacks where a reconstructor neural network learns to invert the random mapping between training data and model weights. Prior work has shown that an informed adversar...

Verifiably Forgotten? Gradient Differences Still Enable Data Reconstruction in Federated Unlearning

Federated Unlearning FU has emerged as a critical compliance mechanism for data privacy regulations, requiring unlearned clients to provide verifiable Proof of Federated Unlearning PoFU to auditors upon data removal requests. However, we uncover a significant privacy vulnerability: when gradient...

Nosy Layers, Noisy Fixes: Tackling DRAs in Federated Learning Systems Using Explainable AI

Federated Learning FL has emerged as a powerful paradigm for collaborative model training while keeping client data decentralized and private. However, it is vulnerable to Data Reconstruction Attacks DRA such as "LoKI" and "Robbing the Fed", where malicious models sent from the server to the clie...

Cutting through Privacy: a Hyperplane-Based Data Reconstruction Attack in Federated Learning

Federated Learning FL enables collaborative training of machine learning models across distributed clients without sharing raw data, ostensibly preserving data privacy. Nevertheless, recent studies have revealed critical vulnerabilities in FL, showing that a malicious central server can manipulat...

rsync: rsync server leaks arbitrary client files

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare wi...

A Numerical Gradient Inversion Attack in Variational Quantum Neural-Networks

The loss landscape of Variational Quantum Neural Networks VQNNs is characterized by local minima that grow exponentially with increasing qubits. Because of this, it is more challenging to recover information from model gradients during training compared to classical Neural Networks NNs. In this...

ReCIT: Reconstructing Full Private Data from Gradient in Parameter-Efficient Fine-Tuning of Large Language Models

Parameter-efficient fine-tuning PEFT has emerged as a practical solution for adapting large language models LLMs to custom datasets with significantly reduced computational cost. When carrying out PEFT under collaborative learning scenarios e.g., federated learning, it is often required to exchan...