Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Halo Security Honored with 2025 MSP Today Product of the Year Award

Miami, Florida, 18th June 2025, CyberNewsWire

HackRead
Open in Source
#vulnerability#web#git#intel#jira
GHSA-2hw3-h8qx-hqqp: OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer

XSS via `.py` file containing script tag interpreted as HTML ## Summary A vulnerability exists in the file preview/browsing feature of the application, where files with a `.py` extension that contain JavaScript code wrapped in `<script>` tags may be interpreted and executed as HTML in certain modes. This leads to a stored XSS vulnerability. ## Affected Versions * <= 4.0.0-rc.3 ## PoC Create a `.py` file with arbitrary JavaScript content wrapped in `<script>` tags. For example: ```javascript <script>alert(document.cookie);</script> ``` When a victim views the file in browsing mode (e.g., a rendered preview), the JavaScript is executed in the browser context. --- ## Attack vector An attacker can place such a `.py` file in the system via remote channels, such as: * Convincing a webmaster to download or upload the file; * Tricking users into accessing a file link via public URLs. ## Required permissions * None, if public or visitor access is enabled. * If the file is uploade...

Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System

After an attack on Iran’s Sepah bank, the hyper-aggressive Israel-linked hacker group has now destroyed more than $90 million held at Iranian crypto exchange Nobitex.

Fake bank ads on Instagram scam victims out of money

Several Instagram ads have been found impersonating banks, including the usage of deepfake videos to defraud consumers.

When legitimate tools go rogue

Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.

Famous Chollima deploying Python version of GolangGhost RAT

Learn how the North Korean-aligned Famous Chollima is using the a new Python-based RAT, "PylangGhost," to target cryptocurrency and blockchain jobseekers in a campaign affecting users primarily in India.

5 riskiest places to get scammed online

These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

GHSA-2hcm-q3f4-fjgw: OSV-SCALIBR's Container Image Unpacking Vulnerable to Arbitrary File Write via Path Traversal

Arbitrary file write as the OSV-SCALIBR user on the host system via a path traversal vulnerability when using OSV-SCALIBR's unpack() function for container images. Particularly, when using the CLI flag --remote-image on untrusted container images.

Scammers hijack websites of Bank of America, Netflix, Microsoft, and more to insert fake phone number

Scammers are abusing sponsored search results, displaying their scammy phone number on legitimate brand websites.

GHSA-wgc6-9f6w-h8hx: microlight allows a denial of service

A denial of service (DoS) vulnerability has been identified in the JavaScript library microlight version 0.0.7. This library, used for syntax highlighting, does not limit the size of textual content it processes in HTML elements with the microlight class. When excessively large content (e.g., 100 million characters) is processed, the reset function in microlight.js consumes excessive memory and CPU resources, causing browser crashes or unresponsiveness. An attacker can exploit this vulnerability by tricking a user into visiting a malicious web page containing a microlight element with large content, resulting in a denial of service.