492 matches found
Arbitrary File Upload
Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Arbitrary File Upload in the saveFile function. An authenticated user with manage permissions on a video can execute arbitrary code on the server by uploading a...
Malicious code in logutilkit (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 25a26f2dc6e0a8e2ba3bd43492fbffa597b39065e3f3378ea976dcabddf8fbf8 Malicious clone of a legitimate package. When using it, the code attempts to download and execute remote code. In on of the incarnations, the malicious code wa...
Malicious code in apachelicense (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 9d96d45a87e117e72107d6d6dfbe8c4e94323323bc28ce9accd8ccba39a0a46c Malicious clone of legitimate "license" package. When using the findbykey function, the malicious code from strongly obfuscated files is loaded. It then at lea...
PT-2026-25396
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...
PT-2026-24611
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...
A week in security (February 23 – March 1)
Last week on Malwarebytes Labs: Public Google API keys can be used to expose Gemini AI data Inside a fake Google security check that becomes a browser RAT Fake Zoom and Google Meet scams install Teramind: A technical deep dive How to understand and avoid Advanced Persistent Threats The Conduent...
Password managers keep your passwords safe, unless…
I’m a big advocate of password managers. Granted, there are better alternatives for passwords like passkeys, but if a provider offers nothing but password options, which many do, you can’t do much about that. So, for the time being we seem to be stuck with passwords. Every reputable password...
On the Security of Password Managers
Good article on password managers that secretly have a backdoor. New research shows that these claims aren’t true in all cases, particularly when account recovery is in place or password managers are set to share vaults or organize users into groups. The researchers reverse-engineered or closely...
Researchers Demonstrate 27 Attacks Against Major Password Managers
Researchers demonstrate multiple attacks against major password managers, showing how compromised servers and design flaws can expose encrypted vault data...
CVE-2026-27196
Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...
Password Managers Share a Hidden Weakness
Plus: The cybersecurity community grapples with Epstein files revelations, the US State Department plans an online anti-censorship “portal” for the world, and more...
CVE-2026-27196 Statamic affected by privilege escalation via stored Cross-site Scripting
Statmatic is a Laravel and Git powered content management system CMS. Versions 5.73.8 and below in addition to 6.0.0-alpha.1 through 6.3.1 have a Stored XSS vulnerability in html fieldtypes which allows authenticated users with field management permissions to inject malicious JavaScript that...
AI-generated passwords are a security risk
Using Artificial Intelligence AI to generate your passwords is a bad idea. It's likely to give that password to a criminal who can then use it in a dictionary attack—which is when an attacker runs through a prepared list of likely passwords words, phrases, patterns with automated tools until one ...
WordPress Product Addons for Woocommerce - Product Options with Custom Fields plugin <= 3.1.0 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter vulnerability
WordPress Product Addons for Woocommerce - Product Options with Custom Fields plugin = 3.1.0 - Authenticated Shop Manager+ Code Injection via Conditional Logic 'operator' Parameter vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin Product Addons for Woocommerce versions = 3.1....
CVE-2026-1937
CVE-2026-1937 affects the YayMail – WooCommerce Email Customizer WordPress plugin up to version 4.3.2. The root cause is a missing capability check on the yaymail_import_state AJAX action, allowing authenticated attackers with Shop Manager-level access or higher to modify arbitrary WordPress opti...
Zero Knowledge (About) Encryption: A Comparative Security Analysis of Three Cloud-based Password Managers
Zero Knowledge Encryption is a term widely used by vendors of cloud-based password managers. Although it has no strict technical meaning, the term conveys the idea that the server, who stores encrypted password vaults on behalf of users, is unable to learn anything about the contents of those...
Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers
A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password recovery attacks under certain conditions. "The attacks range in severity from integrity violations to the complete compromise of all vaults in an...
CVE-2026-24777
OpenProject prior to 17.0.2 allowed users with the Manage Users permission to lock and unlock other users, including application administrators, due to a missing permission check. The issue is fixed in OpenProject 17.0.2. Affected software: OpenProject (web-based project management) with the vuln...
Okara: Detection and Attribution of TLS Man-In-The-Middle Vulnerabilities in Android Apps with Foundation Models
Transport Layer Security TLS is fundamental to secure online communication, yet vulnerabilities in certificate validation that enable Man-in-the-Middle MitM attacks remain a pervasive threat in Android apps. Existing detection tools are hampered by low-coverage UI interaction, costly...
CVE-2025-59091
Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically...