52 matches found
PT-2026-46994
Summary The password-reset page rendered the URL token directly into a JavaScript string literal in a server-rendered EJS template. EJS HTML-entity-encodes a fixed set of characters but does not escape single quotes or backslashes, so a crafted token could break out of the JS string context and...
EUVD-2026-14988
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affected Products: UniFi Network Server Version 10.1.85 and earlier Mitigation: Update UniFi Network Server to...
CVE-2026-22559
An Improper Input Validation vulnerability in UniFi Network Server may allow unauthorized access to an account if the account owner is socially engineered into clicking a malicious link. Affected Products: UniFi Network Server Version 10.1.85 and earlier Mitigation: Update UniFi Network Server to...
CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link...
CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link...
UBUNTU-CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link...
CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link...
PT-2026-22137
Name of the Vulnerable Software and Affected Versions Checkmk versions 2.3.0 through 2.3.0p43 Checkmk versions 2.4.0 through 2.4.0p22 Description The software contains a flaw due to improper neutralization of input. An attacker who can manipulate a host's check output can inject malicious...
CVE-2026-23528
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting XSS bug in the Dask...
CVE-2026-23528
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting XSS bug in the Dask...
CVE-2026-23528 Dask distributed Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting XSS bug in the Dask...
CVE-2026-23528
Dask distributed is a distributed task scheduler for Dask. Prior to 2026.1.0, when Jupyter Lab, jupyter-server-proxy, and Dask distributed are all run together, it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting XSS bug in the Dask...
“Reprompt” attack lets attackers steal data from Microsoft Copilot
Researchers found a method to steal data which bypasses Microsoft Copilot's built-in safety mechanisms. The attack flow, called Reprompt , abuses how Microsoft Copilot handled URL parameters in order to hijack a user’s existing Copilot Personal session. Copilot is an AI assistant which connects t...
PT-2026-3268
Name of the Vulnerable Software and Affected Versions Dask distributed versions prior to 2026.1.0 Description When Jupyter Lab, jupyter-server-proxy, and Dask distributed are used together, a crafted URL can lead to code execution by Jupyter due to a cross-site scripting XSS issue in the Dask...
The ghosts of WhatsApp: How GhostPairing hijacks accounts
Researchers have found an active campaign aimed at taking over WhatsApp accounts. They've called this attack GhostPairing because it tricks the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account. Ghost of...
Scammers are sending bogus copyright warnings to steal your X login
One of my favorite Forbes correspondents recently wrote about receiving several fake copyright-infringement notices from X. Let’s suppose you get an email claiming it’s from X, warning: “We’ve received a DMCA notice regarding your account.” Chances are, you’ll be wondering what you did wrong. DMC...
EUVD-2019-13419
Malware in sbrugna...
Malicious-Looking URL Creation Service
This site turns your URL into something sketchy-looking. For example, www.schneier.com becomes...
Fake Bureau of Motor Vehicles texts are after your personal and banking details
Scammers are sending out texts that claim to be from the Bureau of Motor Vehicles BMV, saying that you have outstanding traffic tickets. Here's an example, which was sent to one of our employees. “Ohio BMV Final Notice: Enforcement Begins September 10nd. Our records indicate that as of today, you...
UBUNTU-CVE-2025-52897
GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19...