CVE-2026-40028 Hayabusa < 3.8.0 XSS via JSON Log Import

Hayabusa versions prior to 3.8.0 contain a cross-site scripting XSS vulnerability in its HTML report output that allows an attacker to execute arbitrary JavaScript when a user scans JSON-exported logs containing malicious content in the Computer field. An attacker can inject JavaScript into the...

CVE-2026-33140

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting XSS vulnerability in the HTML report generator. When PySpector scans a Python file containing...

CVE-2026-2621 Sciyon Koyuan Thermoelectricity Heat Network Management System AsyncTreeProxy.aspx sql injection

A security vulnerability has been detected in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. This affects an unknown part of the file /SISReport/WebReport20/Proxy/AsyncTreeProxy.aspx. The manipulation of the argument PGUID leads to sql injection. The attack can be initiated...

PT-2026-20339

Name of the Vulnerable Software and Affected Versions Sciyon Koyuan Thermoelectricity Heat Network Management System version 3.0 Description A security issue exists in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0. The manipulation of the PGUID argument in the file...

GHSA-8HF7-H89P-3PQJ MobSF has Stored XSS via Manifest Analysis - Dialer Code Host Field

Summary A Stored Cross-site Scripting XSS vulnerability in MobSF's Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session by uploading a malicious APK. The android:host attribute from elements is rendered in HTML reports without...

CVE-2023-25912

The webreport generation feature in the Danfoss AK-EM100 allows an unauthorized actor to generate a web report that discloses sensitive information such as the internal IP address, usernames and internal device values...

A week in security (December 15 &#8211; December 21)

Last week on Malwarebytes Labs: CISA warns ASUS Live Update backdoor is still exploitable, seven years on The ghosts of WhatsApp: How GhostPairing hijacks accounts Chrome extension slurps up AI chats after users installed it for privacy Two Chrome flaws could be triggered by simply browsing the...

Google is discontinuing its dark web report: why it matters

Google has announced that early next year they are discontinuing the dark web report, which was meant to monitor breach data that’s circulating on the dark web. The news raised some eyebrows, but Google says it’s ending the feature because feedback showed the reports didn’t provide “helpful next...

EUVD-2023-29801

Malicious code in bioql PyPI...

EUVD-2023-29800

Malicious code in bioql PyPI...

EUVD-2023-23342

Malicious code in bioql PyPI...

EUVD-2023-43737

Malicious code in bioql PyPI...

EUVD-2023-23341

Malicious code in bioql PyPI...

CVE-2023-25913

Because of an authentication flaw an attacker would be capable of generating a web report that discloses sensitive information such as internal IP addresses, usernames, store names and other sensitive information...

CVE-2022-25256

SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonAndRender.do has two parameters: saspfsrequestbacklabellist and saspfsrequestbackurllist. The first one affects the content of the button placed in the top left. The second affects the page to which the user is directed after pressing...

whapa 安全漏洞

Whapa is a WhatsApp parser toolset by the individual developer Ivan Moreno. A security vulnerability exists in whapa version v1.59, which stems from vulnerability to a command injection attack via a carefully crafted filename for the HTML reporting component...

Google Adds Passkeys to Advanced Protection Program for High-Risk Users

Google on Wednesday announced that it's making available passkeys for high-risk users to enroll in its Advanced Protection Program APP. "Users traditionally needed a physical security key for APP — now they can choose a passkey to secure their account," Shuvo Chatterjee, product lead of APP, said...

FactoMineR FactoInvestigate Cross-Site Scripting Vulnerability

FactoMineR FactoInvestigate is an open source package from FactoMineR. A cross-site scripting vulnerability exists in FactoMineR FactoInvestigate 1.9 and earlier versions, which stems from the component HTML Report Generator that causes cross-site scripting...

CVE-2023-25913

Because of an authentication flaw an attacker would be capable of generating a web report that discloses sensitive information such as internal IP addresses, usernames, store names and other sensitive information...

CVE-2023-25913

Because of an authentication flaw an attacker would be capable of generating a web report that discloses sensitive information such as internal IP addresses, usernames, store names and other sensitive information...