ANT-2026-CN7KX43N · nomad · path-traversal

path-traversal critical CVE-2026-7474 Severity Claude critical · Security research firm critical · Maintainer - Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Doyensec. ANT-2026-CN7KX43N: nomad: path-traversal at...

183 Million Synthient Stealer Credentials Added to Have I Been Pwned

Massive Synthient Stealer Log leak adds 183 million stolen usernames and passwords to Have I Been Pwned, exposing new victims worldwide...

Have I Been Pwned Adds ALIEN TXTBASE Data 280M Emails & Passwords

HaveIbeenPwned HIBP website has significantly expanded its database with hundreds of millions of newly compromised credentials extracted by hackers though infostealer logs...

It's best to just assume you’ve been involved in a data breach somehow

Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, its best to probably just assume at this point that your personal information has somehow been involved in a data breach. Were only halfway through 2024, and weve already seen some of the largest data breaches a...

Passbolt Browser Extension leaks password information

An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily...

CVE-2024-33669

An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily...

Original BreachForums Breached, PII Data of 210K Users Sold Online

By Habiba Rashid Have I Been Pwned, a central repository for tracking online data breaches, has confirmed the legitimacy of the stolen BreachForums data. This is a post from HackRead.com Read the original post: Original BreachForums Breached, PII Data of 210K Users Sold Online...

KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)

Title: KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution RCE Author: nu11secur1ty Date: 04.30.2023 Vendor: https://kodcloud.com/ Software: https://github.com/kalcaddle/KodExplorer/releases/tag/4.51.03 Reference: https://portswigger.net/web-security/file-upload Description:...

Online Shopping System Advanced 1.0 SQL Injection

The online-shopping-system-advanced-1.0 suffers from multiple SQLi The attacker can steal all information from the database of this system. Status: CRITICAL + Exploit: MYSQL Parameter: cid POST Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause NOT Payload:...

Insecure password leads to Mangatoon data breach

The hugely popular Manga comics platform Mangatoon has fallen victim to a data breach. No fewer than 23 million user accounts could be at risk, thanks to a poorly secured database. Worse still, Mangatoon doesnt seem to be responding to messages from the breacher, or people notifying it that the...

3.7M FlexBooker Records Dumped on Hacker Forum

A threat group that identifies itself as Uawrongteam is dumping data stolen from FlexBooker – a popular online appointment scheduling tool for booking services ranging from counseling to haircuts – on a cybercriminal forum. FlexBooker sent a notification to its users, explaining that its Amazon A...

A week in security (Dec 20 – 26)

Last week on Malwarebytes Labs: When a deepfake “empire” continues to grow Everything you always wanted to know about NFTs but were too afraid to ask: Lock and Code S02E24 Police forces pipe 225 million pwned passwords into ‘Have I Been Pwned?’ Logistics giant warns of scams following ransomware...

LeakDB - Web-Scale NoSQL Idempotent Cloud-Native Big-Data Serverless Plaintext Credential Search

LeakDB is a tool set designed to allow organizations to build and deploy their own internal plaintext "Have I Been Pwned"-like service. The LeakDB tool set can normalize, deduplicate, index, sort, and search leaked data sets on the multi-terabyte-scale, without the need to distribute large files ...

SURMS - PHP (by: oretnom23 ) v1.0 SQL-Injection-Bypass-Authentication and PWNED PHPSESSID Hijacking

The SURMS – PHP by: oretnom23 v1.0 is vulnerable from remote SQL-Injection-Bypass-Authentication for the admin account and PWNED PHPSESSID Hijacking in app /storage/classes/Login.php. remote SQL-Injection-Bypass-Authentication: . The parameter username from the login form is not protected correct...

COVID-19 Contact Tracing System With QR Code Scanning 1.0 SQL Injection Exploit

COVID-19 Contact Tracing System web app with QR Code Scanning version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass. Exploit Title: Covid-19 Contact Tracing System Web App with QR Code Scanning CTS-QR by: oretnom23 v1.0 remote...

OneNav Beta 0.9.12 Cross Site Scripting

Exploit Title: XSS-Stored - Brutal PWNED on OneNav beta 0.9.12 addlink feature Author: nu11secur1ty Testing and Debugging: nu11secur1ty $ g3ck0dr1v3r Date: 08.06.2021 Vendor: https://www.xiaoz.me/ Link: https://github.com/helloxz/onenav/releases/tag/0.9.12 CVE: CVE-2021-38138 + Exploit Source:...

CVE-2021-38138

OneNav beta 0.9.12 allows XSS via the Add Link feature. PWNED by using remote execution script, automated for this vulnerability. NOTE: the vendor’s position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account;...

Euros Football Fever Nets Dumb Passwords

The European soccer championship a.k.a. the Euros is stoking maximum football fever, which has slopped over into easy-to-crack passwords. Such as, say, “football.” That password is of course easy as pie to crack via a dictionary attack – a type of brute-force attack that involves trying thousands...

A week in security (May 17 – May 23)

Last week on Malwarebytes Labs, we looked at a banking trojan full of nasty tricks, explained some tips and pointers for using VirusTotal, and dug into how an authentication vulnerability was patched by Pega Infinity. We also explored how a Royal Mail phish deploys evasion tricks to avoid analysi...

“Have I been pwnd?”– What is it and what to do when you *are* pwned

Adobe. Yahoo!. The US Department of Energy DoE. The New York Times. What these names have in common is that they have all experienced at least one breach in 2013—the year when threat actors started targeting organizations across industries to either steal data for profit or leak them to "teach...