Google's AI assistant Gemini is vulnerable to ASCII smuggling, a well-documented attack method that could trick it into providing users with fake information, alter the model's behavior, and silently poison its data.
Is anyone else using the EUVD as a supplemental data feed? We added support to the SOOS platform earlier this year when there were concerns over the fate of the NVD. Earlier today we started noticing a large number of EUVD Ids being updated with a new description and all linking to a newly created GHSA. The GHSA was published yesterday: https://github.com/advisories/GHSA-293c-r3p4-g63r It appears as if the update to EUVD is targeting older Ids first. The update always seems to be the same, add...
FreePBX is a popular PBX system built around the open source VoIP system Asterisk. To manage Asterisk more easily, it provides a capable web-based admin interface. Sadly, like so many web applications, it has had its share of vulnerabilities in the past. Most recently, a SQL injection vulnerability was found that allows attackers to modify the database.
Google's DeepMind division on Monday announced an artificial intelligence (AI)-powered agent called CodeMender that automatically detects, patches, and rewrites vulnerable code to prevent future exploits. The efforts add to the company's ongoing efforts to improve AI-powered vulnerability discovery, such as Big Sleep and OSS-Fuzz. DeepMind said the AI agent is designed to be both reactive and
The ClamAV 1.5.0 is now available. You may find the source code and installers for this release at clamav.net/downloads or on the ClamAV GitHub release page . IMPORTANT : A major feature of the 1.5 release is a FIPS-mode compatible method for verifying the authenticity of CVD signature database archives and CDIFF signature database patch files. This feature relies on " . cvd.sign " signature files for the daily, main, and bytecode databases. The Freshclam with 1.5.0 will download these files as...
This week, Google has launched an AI Vulnerability Reward Program dedicated to security researchers who find and report flaws in the company's AI systems.
submitted by /u/intuentis0x0 [link] [comments]
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog...
CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-280-01 Delta Electronics DIAScreen ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.8 ATTENTION : Low attack complexity Vendor : Delta Electronics Equipment : DIAScreen Vulnerabilities : Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to write data outside of the allocated memory buffer. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Delta Electronics DIAScreen are affected: DIAScreen: Version 1.6.0 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1...
A critical deserialization flaw in GoAnywhere MFT's License Servlet, tracked as CVE-2025-10035, has already been weaponized by the Storm-1175 group to execute the Medusa ransomware. The vulnerability affects GoAnywhere MFT versions up to 7.8.3. It resides in the License Servlet Admin Console, where a threat actor can forge a license response signature and bypass validation
Elastic has released a security advisory detailing a medium-severity vulnerability in the Kibana CrowdStrike Connector that could allow for the exposure of sensitive credentials. The flaw, tracked as CVE-2025-37728, affects multiple versions of Kibana and could allow a malicious user to access cached CrowdStrike credentials from other users within the same environment. The vulnerability underscores
im trying to find a Open-source vulnerability management software that would be suggested for large scale environments. i dont really have many requirements but im just looking for options.. currently looking at rapid7 but looking for more flexibility. submitted by /u/Worried-Ad250 [link] [comments]
Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0. "An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free,
CISA has issued an urgent security advisory, adding Microsoft Windows privilege escalation vulnerability CVE-2021-43226 to its Known Exploited Vulnerabilities (KEV) catalog on October 6, 2025. The vulnerability affects the Microsoft Windows Common Log File System (CLFS) Driver and poses significant security risks to enterprise environments. The CVE-2021-43226 vulnerability resides within Microsoft's Common Log File System
A new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which could allow an attacker to achieve remote code execution on a victim's machine. The vulnerability is a bypass of a previous fix for a similar issue (CVE-2023-51385) and exploits how the ProxyCommand feature interacts with the underlying system shell when handling
Oracle has issued an emergency security alert for a critical zero-day vulnerability (CVE-2025-61882) in its E-Business Suite after the notorious Cl0p ransomware group began extorting customers who failed to patch their systems. The vulnerability, carrying a maximum CVSS score of 9.8, affects the Business Intelligence Publisher (BI Publisher) Integration component and enables remote code execution
I recently joined a 6 year old SaaS that has had poor operational posture but now aiming to mature/scale. Happily, we have removed old/legacy GitHub repos. Almost nothing is documented so to the best of the team's knowledge what is left is production code. We run GHAS (Advanced Security) and surface 900 Criticals (CVSS 9+) plus thousands more less severe issues. The team is micro. No dedicated security staff yet. Coming from more mature environments 900+ is overwhelming and hard to triage but...
CrowdStrike on Monday said it's attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025. The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates
I am inheriting a somewhat mature appsec team and red team. I'm coming from a Security Engineering and Automation manager role in the same department and am very technical in the space. I am not technical in AppSec or Development but I am good with Vulnerability Management. While shadowing some calls, I have found myself struggling to keep up in report readouts and calls where a team is disagreeing with a finding. Without becoming a full blown pentester, although I have started with hackthebox,...