34557 matches found
System Card: Claude Mythos Preview
This System Card describes Claude Mythos Preview, a large language model from Anthropic. Mythos Preview is their most capable frontier model to date, and shows a striking leap in scores on many evaluation benchmarks compared to their previous frontier model, Claude Opus 4.6. This System Card...
OpenAI Patches ChatGPT Data Exfiltration Flaw and Codex GitHub Token Vulnerability
A previously unknown vulnerability in OpenAI ChatGPT allowed sensitive conversation data to be exfiltrated without user knowledge or consent, according to new findings from Check Point. "A single malicious prompt could turn an otherwise ordinary conversation into a covert exfiltration channel,...
Unveiling the Resilience of LLM-Enhanced Search Engines against Black-Hat SEO Manipulation
The emergence of Large Language Model-enhanced Search Engines LLMSEs has revolutionized information retrieval by integrating web-scale search capabilities with AI-powered summarization. While these systems demonstrate improved efficiency over traditional search engines, their security implication...
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...
GHSA-X6W6-2XWP-3JH6 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...
Researchers found font-rendering trick to hide malicious commands
Researchers have published a proof-of-concept PoC that uses custom fonts to fool many popular Artificial Intelligence AI assistants, including ChatGPT, Claude, Copilot, Gemini, Leo, Grok, Perplexity, Sigma, Dia, Fellou, and Genspark. Imagine a book where the visible text is harmless, but hidden...
Exploit for Deserialization of Untrusted Data in Facebook React
CVE Exploitation Arsenal Professional penetration testing too...
Keys on Doormats: Exposed API Credentials on the Web
Application programming interfaces APIs have become a central part of the modern IT environment, allowing developers to enrich the functionality of applications and interact with third parties such as cloud and payment providers. This interaction often occurs through authentication mechanisms tha...
Highly Autonomous Cyber-Capable Agents: Anticipating Capabilities, Tactics, and Strategic Implications
This report introduces the concept of "Highly Autonomous Cyber-Capable Agents" HACCAs, AI systems capable of autonomously conducting multi-stage cyber campaigns at a level comparable to today's top criminal hacking groups or state-affiliated threat actors, and analyzes the security implications o...
PT-2026-24811
The report circulating about "LDN-2026-0301" is false and based on manipulated screenshots. There is no such vulnerability in Ledger's transport layer, and no firmware update like the one described. The real research from the Ledger Donjon relates to CVE-2025-20435 https://t.co/Hx0yDcPxSk, a...
GHSA-WPPC-7CQ7-CGFV Weblate: Missing access control for the AddonViewSet API exposes all addon configurations
Impact Users were able to obtain add-on configuration via API. Patches https://github.com/WeblateOrg/weblate/pull/18107 https://github.com/WeblateOrg/weblate/pull/18164 References Weblate thanks @lighthousekeeper1212 for responsible disclosure...
Can AI Lower the Barrier to Cybersecurity? A Human-Centered Mixed-Methods Study of Novice CTF Learning
Capture-the-Flag CTF competitions serve as gateways into offensive cybersecurity, yet they often present steep barriers for novices due to complex toolchains and opaque workflows. Recently, agentic AI frameworks for cybersecurity promise to lower these barriers by automating and coordinating...
Malicious code in responsible-ai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 05c11d73745aba3675053c5e949e3d5cf48ec050f6c5df589f613c094a8a038e The package responsible-ai was found to contain malicious code. Source: ghsa-malware 9b9159173d856834d97152b44c3f78779ff8f3dd4368b5d113920865417044c3...
Malicious Package
Overview responsible-ai is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-890 Malicious code in responsible-ai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 05c11d73745aba3675053c5e949e3d5cf48ec050f6c5df589f613c094a8a038e The package responsible-ai was found to contain malicious code. Source: ghsa-malware 9b9159173d856834d97152b44c3f78779ff8f3dd4368b5d113920865417044c3...
thoropass-vuln-research-program
Thoropass Vulnerability Research Program 🔐 Security Researc...
cve-disclosures
Public repository containing security vulnerabilities CVEs...
Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot
Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence AI chatbots like Microsoft Copilot in a single click, while bypassing enterprise security controls entirely. "Only a single...
Weblate has an arbitrary file read via symbolic links
Impact It was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Resources Thanks to Jason Marcello for responsible disclosure...
GHSA-8452-54WP-RMV6 Storybook manager bundle may expose environment variables during build
On December 11th, the Storybook team received a responsible disclosure alerting them to a potential vulnerability in certain built and published Storybooks. The vulnerability is a bug in how Storybook handles environment variables defined in a .env file, which could, in specific circumstances, le...