CVE-2026-40581

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

EUVD-2026-23620

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint SelectDelete.php performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a...

Age verification vendor Persona left frontend exposed, researchers say

Researchers investigating Discord’s age-verification checks say they discovered an exposed frontend belonging to Persona, the identity-verification vendor used by Discord. It revealed a far more expansive surveillance and financial intelligence stack than a simple “teen safety” tool. A short whil...

CVE-2024-41505

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting XSS in the "Pessoas" persons section via the field "Profisso" professor...

CVE-2024-41502

Jetimob Plataforma Imobiliaria 20240627-0 is vulnerable to Cross Site Scripting XSS via the form field "Observaces" observances in the "Pessoas" persons section when creating or editing either a legal or a natural person...

Top FBI Official Urges Agents to Use Warrantless Wiretaps on US Soil

An internal email from FBI deputy director Paul Abbate, obtained by WIRED, tells employees to search for “US persons” in a controversial spy program's database that investigators have repeatedly misused...

Alarm system cyberattack leaves those in need struggling to call for help

An alarm system company that allows those in need to ask for help at the touch of a button has suffered a cyberattack, causing serious disruption. Tunstall Netherlands says the attack left the control room struggling to receive distress calls from clients on Sunday November 12, 2023. Tunstall,...

ABB Multiple System 800xA Products Incorrect Default Permissions (CVE-2020-8487)

Insufficient protection of the inter-process communication functions in ABB System 800xA Base all published versions enables an attacker authenticated on the local system to inject data, affect node redundancy handling. This plugin only works with Tenable.ot. Please visit...

U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation. The individuals designated under sanctions are Vitaly Kovalev aka Alex Konor, Bentley,...

Design/Logic Flaw

In Zammad 5.0.2, agents can configure "out of office" periods and substitute persons. If the substitute persons didn't have the same permissions as the original agent, they could receive ticket notifications for tickets that they have no access to...

Fake ransom scams targeting families of missing persons

By Deeba Ahmed FBI has issued an alert to families of missing persons to watch out for fake ransom scams in which scammers collect information about missing people from social media. This is a post from HackRead.com Read the original post: Fake ransom scams targeting families of missing persons...

Clapper: NSA Queries Databases for Information on U.S. Persons

UPDATE–The NSA searches the data it collects incidentally on Americans, including phone calls and emails, during the course of terrorism investigations. James Clapper, the director of national intelligence, confirmed the searches in a letter to Sen. Ron Wyden, the first time that such actions hav...

Handling of Encryption, Tor Exposed in Leaked NSA Documents

New top-secret NSA documents released by the Guardian UK newspaper reveal that the United States’ top spy agency can retain encrypted communications for as long as it takes analysts to decrypt the secret messages—even if they’re collected by chance and without a warrant. In addition, the document...

Indian BJP Politician's bank accounts hacked

Indian BJP Politician's bank accounts hacked --- A local News paper today reported that ,The four axis bank accounts belonging to city's Ganesh Shipping firm were hacked by unknown persons and Rs 4, 00,100 was transferred to a different account of Moradabad and Sind Bank. Following a complaint by...

CVE-2011-0745

SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover 1 the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or 2 t...