CVE-2026-49102

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type e.g., text/plain...

CVE-2026-49102

Webmin before 2.640 allows mailboxes/detach.cgi XSS via an SVG document attachment that is viewed in the mailboxes component, because image/svg+xml is used instead of a safe type e.g., text/plain...

Amazon Linux 2 : soci-snapshotter, --advisory ALAS2DOCKER-2026-123 (ALASDOCKER-2026-123)

The version of soci-snapshotter installed on the remote host is prior to 0.13.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2026-123 advisory. When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C...

Cross-site Scripting (XSS)

Overview @ckeditor/ckeditor5-engine is a The editing engine of CKEditor 5 – the best browser-based rich text editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS via its unsafe htmlSupport configuration. An attacker can execute unauthorized JavaScript in the editor...

Cross-site Scripting (XSS)

Overview @ckeditor/ckeditor5-html-support is a HTML Support feature for CKEditor 5. Affected versions of this package are vulnerable to Cross-site Scripting XSS via its unsafe htmlSupport configuration. An attacker can execute unauthorized JavaScript in the editor context by inserting specially...

How safe are kids using social media? We did the groundwork

When researchers created an account for a child under 13 on Roblox, they expected heavy guardrails. Instead, they found that the platform’s search features still allowed kids to discover communities linked to fraud and other illicit activity. The discoveries spotlight the question that lawmakers...

CVE-2025-42620 CSRF vulnerability in CIRCL Vulnerability-Lookup

In affected versions, vulnerability-lookup handled user-controlled content in comments and bundles in an unsafe way, which could lead to stored Cross-Site Scripting XSS. On the backend, the relatedvulnerabilities field of bundles accepted arbitrary strings without format validation or proper...

The hidden costs of illegal streaming and modded Amazon Fire TV Sticks

Ahead of the holiday season, people who have bought cheap Amazon Fire TV Sticks or similar devices online should be aware that some of them could let cybercriminals access personal data, bank accounts, and even steal money. BeStreamWise, a UK initiative established to counter illegal streaming,...

Millions of (very) private chats exposed by two AI companion apps

Cybernews discovered how two AI companion apps, Chattee Chat and GiMe Chat, exposed millions of intimate conversations from over 400,000 users. This is not the first time we have to write about AI "girlfriends" exposing their secrets—and it probably won't be the last. This latest incident is a...

EUVD-2023-2845

Malicious code in bioql PyPI...

PLA: Prompt Learning Attack against Text-To-Image Generative Models

Text-to-Image T2I models have gained widespread adoption across various applications. Despite the success, the potential misuse of T2I models poses significant risks of generating Not-Safe-For-Work NSFW content. To investigate the vulnerability of T2I models, this paper delves into adversarial...

SAGE: Exploring the Boundaries of Unsafe Concept Domain with Semantic-Augment Erasing

Diffusion models DMs have achieved significant progress in text-to-image generation. However, the inevitable inclusion of sensitive information during pre-training poses safety risks, such as unsafe content generation and copyright infringement. Concept erasing finetunes weights to unlearn...

CVE-2023-22735

Zulip is an open-source team collaboration tool. In versions of zulip prior to commit 2f6c5a8 but after commit 04cf68b users could upload files with arbitrary Content-Type which would be served from the Zulip hostname with Content-Disposition: inline and no Content-Security-Policy header, allowin...

Practical Reasoning Interruption Attacks on Reasoning Large Language Models

Reasoning large language models RLLMs have demonstrated outstanding performance across a variety of tasks, yet they also expose numerous security vulnerabilities. Most of these vulnerabilities have centered on the generation of unsafe content. However, recent work has identified a distinct...

Amazon Linux 2023 : ansible-core, ansible-test (ALAS2023-2025-860)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-860 advisory. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote...

Amazon Linux 2023 : ansible-core, ansible-test (ALAS2023-2025-820)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-820 advisory. 2025-02-12: CVE-2024-11079 was removed from this advisory. 2025-02-12: The severity of this advisory has been changed from medium to low. Tenable has extracted the preceding description block directly...

ansible-core: Unsafe Tagging Bypass via hostvars Object in Ansible-Core

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playboo...

Arbitrary Code Execution

Ansible-Core is vulnerable to Arbitrary Code Execution. The vulnerability is due to attackers bypassing unsafe content protections by using the hostvars object to reference and execute templated content, potentially leading to code execution if remote data or module outputs are improperly templat...

SUSE CVE-2024-11079

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playboo...

CVE-2024-11079

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playboo...