Dex: Token-exchange endpoint is missing AllowedConnectors enforcement

Summary server/handlers.go::handleTokenExchange lines 1804-1893 does not call isConnectorAllowedclient.AllowedConnectors, connID before issuing tokens, while sibling handlers do. This is a per-client connector ACL gap on the token-exchange endpoint; the redirect-flow paths enforce the same field...

CVE-2025-12624

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security...

EUVD-2026-28897

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full...

Arcane Vulnerable to Unauthenticated Disclosure of Custom Compose Template Content (incl. `.env` secrets)

Summary Four GET endpoints under /api/templates in Arcane's Huma backend are registered without any Security requirement, allowing any unauthenticated network client to list and read the full Compose YAML and .env content of every custom template stored in the instance. Because Arcane's UI expose...

Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass

Summary All 9 comment panel admin endpoints /api/panel/comments/ are missing RequireScopes middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions e.g., echo:read only can perfo...

Exploit for Incorrect Default Permissions in Amazon Amplify_Cli

skycenter Attack Chain Security Analysis Engine for AWS, Azure...

Why Unmonitored JavaScript Is Your Biggest Holiday Security Risk

Think your WAF has you covered? Think again. This holiday season, unmonitored JavaScript is a critical oversight allowing attackers to steal payment data while your WAF and intrusion detection systems see nothing. With the 2025 shopping season weeks away, visibility gaps must close now. Get the...

EUVD-2017-6488

Malware in sbrugna...

EUVD-2024-48332

Malicious code in bioql PyPI...

Beware the Hidden Risk in Your Entra Environment

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk. A gap in access control in Microsoft Entra's subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full...

ash_authentication_phoenix has Insufficient Session Expiration

Impact Session tokens remain valid on the server after user logout, creating a security gap where: - Compromised tokens via XSS, network interception, or device theft continue to work even after the user logs out - The sessions stored in the database still expire, limiting the duration during whi...

CVE-2024-7401

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...

CVE-2024-7401 Client Enrollment Process Bypass

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...

CVE-2024-7401 Client Enrollment Process Bypass

Netskope was notified about a security gap in Netskope Client enrollment process where NSClient is using a static token “Orgkey” as authentication parameter. Since this is a static token, if leaked, cannot be rotated or revoked. A malicious actor can use this token to enroll NSClient from a...

CVE-2024-7401

CVE-2024-7401 affects Netskope Client enrollment: NSClient uses a static OrgKey token as authentication parameter, which cannot be rotated if leaked. Root cause is the static token in the enrollment flow; impact is impersonation by enrolling NSClient from a customer tenant. Public fix details are...

Design/Logic Flaw

It was found that all versions of 3Scale developer portal lacked brute force protections. An attacker could use this gap to bypass login controls, and access privileged information, or possibly conduct further attacks...

Don't Risk Getting Caught by Kr3pto Phishing Kits

Akamai's threat research team recently published a report showing that a new phishing toolkit named Kr3pto was targeting UK banking customers. A phishing kit is an all-in-one software package that lets just about anyone create and launch phishing attacks designed to steal user data by posing as a...

CVE-2021-23005

On all 7.x and 6.x versions fixed in 8.0.0, when using a Quorum device for BIG-IQ high availability HA for automatic failover, BIG-IQ does not make use of Transport Layer Security TLS with the Corosync protocol. Note: Software versions which have reached End of Software Development EoSD are not...

SMB Cybersecurity Catching Up to Enterprise… But the Human Element Still a Major Concern

Cyberattacks on small to medium-sized businesses SMBs are continuing at a relentless pace, with the vast majority of data breaches coming from outside the organization. Some believe hackers are aggressively targeting these smaller firms because they believe SMBs lack adequate resources and...

Real-Time Phishing Protections

In my previous blogs, I wrote about how phishing is no longer just an email problem, how the industrialization of phishing is being driven by the easy availability and low cost of phishing toolkits, and how current phishing defenses are being bypassed by attackers. In this post, I'm going to...