CVE-2026-42462 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3, an attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify interprets it without changing its...

CVE-2026-42462

CVE-2026-42462 describes an LD-Signature bypass in Fedify caused by JSON-LD named-graph restructuring. The issue allows an attacker to reorganize a signed JSON-LD payload (via features like @graph, @reverse, @included) in a way that changes how the signed ActivityPub activity is interpreted witho...

Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

SUSE-SU-2026:1818-1 Security update for python39

This update for python39 fixes the following issues: Security issues fixed: - CVE-2026-1502: HTTP client proxy tunnel headers not validated for CR/LF bsc1261969. - CVE-2026-3446: base64 decoding stops at first padded quad by default and ignores other information that could be processed bsc1261970...

CVE-2026-43386 staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: fix potential out-of-bounds read in rtwrestructwmmie The current code checks 'i + 5 inlen' at the end of the if statement. However, it accesses 'iniei + 5' before that check, which can lead to an out-of-bounds...

golang security update

1.25.5-1 - Update to Go 1.25.5 fips-1 1.25.3-5 - gating.yaml: Add tier1 s390x tests 1.25.3-4 - Cleanup lib/ ownership - Remove legacy logic forcing lib/ into golang-tests - Move lib/wasm, lib/fips140, and lib/time to main golang package - Fixes gojswasmexec availability 1.25.3-3 - plans/tier0.fmf...

UBUNTU-CVE-2025-68205

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/hdmi: Fix breakage at probing nvhdmi-mcp driver After restructuring and splitting the HDMI codec driver code, each HDMI codec driver contains the own buildcontrols and buildpcms ops. A copy-n-paste error put the wrong...

Using Spring AI 1.0.0-SNAPSHOT: Part 2 - Important Changes and Updates

Using Spring AI 1.0.0-SNAPSHOT: Part 2 - Important Changes and Updates This blog post is a continuation of our previous article Using Spring AI 1.0.0-SNAPSHOT: Important Changes and Updates, where we introduced the significant changes to artifact IDs, dependency management, and autoconfiguration ...

CVE-2025-21846 acct: perform last write from workqueue

In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In 1 it was reported that the acct2 system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when...

CVE-2024-35994

In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: Fix memory related IO errors and crashes It turns out that while the QSEECOM APPSEND command has specific fields for request and response buffers, uefisecapp expects them both to be in a single memory...

A Message from Rapid7 CEO, Corey Thomas

Earlier today, the following email was shared with Rapid7 employees. Team, As we accelerate our delivery of the leading security operations solution and service platform experience to customers, we have determined it is necessary to restructure our operations, including the difficult decision to...

votes[to] mapping anchor time not adjusted correctly in Equity.adjustRecipientVoteAnchor() can lead to unexpected results

Lines of code Vulnerability details H-01 votesto mapping anchor time not adjusted correctly in Equity.adjustRecipientVoteAnchor can lead to unexpected results Proof of Concept Equity.solL161 function adjustRecipientVoteAnchoraddress to, uint256 amount internal returns uint256 if to != address0x0...

Equity.restructureCapTable only restructures one address at a time

Lines of code Vulnerability details Equity.restructureCapTable allows qualified FPS holders to restructure the system, that is: burning shares of other holders that did not participate in putting equity above water. File: Equity.sol 309: function restructureCapTableaddress calldata helpers, addre...

Ransomware Attacks are on the Rise

After a recent dip, ransomware attacks are back on the rise. According to data released by NCC Group, the resurgence is being led by old ransomware-as-a-service RaaS groups. With data gathered by “actively monitoring the leak sites used by each ransomware group and scraping victim details as they...

OPENSUSE-SU-2022:10016-1 Security update for firejail

This update for firejail fixes the following issues: firejail was updated to version 0.9.70: - CVE-2022-31214 - root escalation in --join logic boo1199148 Reported by Matthias Gerstner, working exploit code was provided to our development team. In the same time frame, the problem was independentl...

rewardsVestingWallet is never initialized

Lines of code Vulnerability details Impact rewardsVestingWallet in BathToken is never initialized thus release will never happen: /// @notice Address of the OZ Vesting Wallet which acts as means to vest bonusToken incentives to pool HODLers IBathBuddy public rewardsVestingWallet; When calling...

Creating the same market shouldn't be possible

Handle 0xsanson Vulnerability details Impact Only an admin can create a market by calling MarketPlace.createMarket. With the current implementation, it's possible to create another market with the same underlying u and maturity m. Doing so would rewrite marketsum with a new ZcToken and...

IT Security in The New Pope

Lol, IT Security is everywhere. Even in the first episode of "The New Pope" TV series the sequel of "The Young Pope", 2016 some monks change credentials in the Vatican's IT systems under cover of night. This happened after, well, some unexpected changes in the corporate culture and organizational...

UPDATE: MITRE CALDERA 2.4.0

MITRE CALDERA 2.4.0 is now available! It has been just four months since the release of MITRE CALDERA 2.3.0. As you remember, this awesome adversary emulation system was listed in my older post titled – List of Adversary Emulation Tools. This release has a lot of new feature, breaking and...