Breaking Anonymity at Scale: Re-Identifying the Trajectories of 100K Real Users in Japan

Mobility traces represent a critical class of personal data, often subjected to privacy-preserving transformations before public release. In this study, we analyze the anonymized Yjmob100k dataset, which captures the trajectories of 100,000 users in Japan, and demonstrate how existing anonymizati...

Through the Stealth Lens: Rethinking Attacks and Defenses in RAG

Retrieval-augmented generation RAG systems are vulnerable to attacks that inject poisoned passages into the retrieved set, even at low corruption rates. We show that existing attacks are not designed to be stealthy, allowing reliable detection and mitigation. We formalize stealth using a...

MGASA-2025-0175 Updated golang packages fix security vulnerabilities

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied - CVE-2025-22870. The net/http package...

Updated golang packages fix security vulnerabilities

Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NOPROXY environment variable is set to ".example.com", a request to "::1%25.example.com:80 will incorrectly match and not be proxied - CVE-2025-22870. The net/http package...

vLLM vulnerable to Regular Expression Denial of Service

Summary A recent review identified several regular expressions in the vllm codebase that are susceptible to Regular Expression Denial of Service ReDoS attacks. These patterns, if fed with crafted or malicious input, may cause severe performance degradation due to catastrophic backtracking. 1...

ALRPHFS: Adversarially Learned Risk Patterns with Hierarchical Fast \& Slow Reasoning for Robust Agent Defense

LLM Agents are becoming central to intelligent systems. However, their deployment raises serious safety concerns. Existing defenses largely rely on "Safety Checks", which struggle to capture the complex semantic risks posed by harmful user inputs or unsafe agent behaviors - creating a significant...

CVE-2024-32826

Missing Authorization vulnerability in Vektor,Inc. VK Block Patterns.This issue affects VK Block Patterns: from n/a through 1.31.0...

CVE-2024-0623

The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbpclearpatternscache function. This makes it possible for unauthenticated attackers to clear the...

MAL-2025-4360 Malicious code in index_patterns_test_plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware da13b3f6dc1e7d94fa7ab535b32341c00bd4dd577983dc33bacb8e59605606f0 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2022-36893

Jenkins rpmsign-plugin Plugin 0.5.0 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace...

CVE-2022-36892

Jenkins rhnpush-plugin Plugin 0.5.1 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Item/Read permission but without Item/Workspace or Item/Configure permission to check whether attacker-specified file patterns match workspace...

CVE-2020-2140

Jenkins Audit Trail Plugin 3.2 and earlier does not escape the error message for the URL Patterns field form validation, resulting in a reflected cross-site scripting vulnerability...

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Summary Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images Vulnerability Details CVEID:CVE-2025-0395 DESCRIPTION: When the assert function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure messa...

CVE-2019-13048

kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of service upon a critical error in certain syssbrk allocation patterns involving PAGESIZE, and a value less than PAGESIZE...

Malicious code in helvetia-base-patterns (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3682a1cff47d9425b9d7c8d820704387f078a2f5ee4dadc955da09c859c23579 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3831 Malicious code in helvetia-base-patterns (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3682a1cff47d9425b9d7c8d820704387f078a2f5ee4dadc955da09c859c23579 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

vscode -- security feature bypass vulnerability

VSCode developers report: A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the fetch...

One Trigger Token Is Enough: a Defense Strategy for Balancing Safety and Usability in Large Language Models

Large Language Models LLMs have been extensively used across diverse domains, including virtual assistants, automated code generation, and scientific research. However, they remain vulnerable to jailbreak attacks, which manipulate the models into generating harmful responses despite safety...

UK Finfluencers: Exploring Content, Reach, and Responsibility

The rise of social media financial influencers finfluencers has significantly transformed the personal finance landscape, making financial advice and insights more accessible to a broader and younger audience. By leveraging digital platforms, these influencers have contributed to the...

syslog-ng 安全漏洞

syslog-ng is an enhanced logging daemon from the syslog-ng team team. A wide range of input and output methods are supported: syslog, unstructured text, queues, SQL and NoSQL. A security vulnerability exists in syslog-ng versions prior to 4.8.2, which stems from the tlswildcardmatch function...