CVE-2024-0391

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage...

PT-2026-39580

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description The check user account lock states feature within the email OTP flow fails to validate user input. This allows an attacker to infer whether specific user account...

codex-solidity

⛓️ Codex Solidity — Smart Contract & Protocol Audit Agent Imp...

Top 5 Vulnerability Prioritization Tools for Enterprises

A high CVSS score doesn’t always equal high business risk. A critical vulnerability on a non-essential, isolated asset might be less of a priority than a medium-level one on your primary payment server. To truly manage risk, you have to connect technical data to business context. This means...

CVE-2025-69871

Summary: CVE-2025-69871 affects MedusaJS/Medusa v2.12.2 and earlier. The root cause is a race condition in the promotion module’s registerUsage() function, which performs a non-atomic read-check-update when enforcing usage limits. This can let unauthenticated remote attackers submit concurrent ch...

CVE-2026-23835

LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in Knowledge Base File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitra...

PT-2026-5439

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 1.143.3 Description LobeHub is an open source human-and-AI-agent network. The file upload feature in Knowledge Base File Upload does not validate the integrity of the upload request, allowing users to intercept and...

Account Takeover: What Is It and How to Fight It

Account takeover ATO attacks can devastate individuals and organisations, from personal profiles to enterprise systems. The financial impact…...

EUVD-2024-48392

Malicious code in bioql PyPI...

Operation Cronos and the Takedown of LockBit: A Cybersecurity Milestone

Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary. Introduction LockBit aka ABCD Ransomware, one of the most destructive ransomware groups in history, was dismantled in early 2024 through a...

The Price of Poor Cybersecurity in 2024: US$3.1 Billion

...

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre CMC, a U.K.-based independent, non-profit body set up by the insurance industry to categorize...

CVE-2024-7472

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API /v1/users/send-verification and Sign up API /auth/signup. An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace...

Cybersquatting in Web3: the Case of NFT

Cybersquatting refers to the practice where attackers register a domain name similar to a legitimate one to confuse users for illegal gains. With the growth of the Non-Fungible Token NFT ecosystem, there are indications that cybersquatting tactics have evolved from targeting domain names to NFTs...

CVE-2024-8053 Improper Authentication in open-webui/open-webui

In version v0.3.10 of open-webui/open-webui, the api/v1/utils/pdf endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited by sending a POST request with an excessively large payload, potentially leading...

Horcrux Double Sign Possibility

Horcrux Incident Disclosure: Possible Double-Sign Summary On March 6, 2025, a Horcrux user 01node experienced a double-signing incident on the Osmosis network, resulting in a 5% slash penalty approximately 75,000 OSMO or $20,000 USD. After thorough investigation, we have identified a race conditi...

CVE-2024-7472

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API /v1/users/send-verification and Sign up API /auth/signup. An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace...

CVE-2024-7472

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API /v1/users/send-verification and Sign up API /auth/signup. An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace...

CVE-2024-7472

CVE-2024-7472 affects lunary-ai/lunary v1.2.26, exposing an email injection vulnerability in the /v1/users/send-verification and /auth/signup endpoints. The root cause is bypassing the extractFirstName function by using an alternate whitespace character (e.g., \xa0), enabling data to be injected ...

CVE-2024-7472 Email Injection Vulnerability in lunary-ai/lunary

lunary-ai/lunary v1.2.26 contains an email injection vulnerability in the Send email verification API /v1/users/send-verification and Sign up API /auth/signup. An unauthenticated attacker can inject data into outgoing emails by bypassing the extractFirstName function using a different whitespace...