Oops—even old #RCE can come back and bite you. Call of Duty: WWII (2017) exploited soon after it gets new life on Game Pass, and the RCE used to harass players; had to be pulled offline to investigate and hopefully repair. Remember this next time someone tells you "we don't.

Data leaking #MCP Server, tricking IDE's into showing malicious extensions as verified, and a #DoS in #nextjs — #LastWeekInAppSec.. #AppSec #vulnerability #AI #Cybersecurity

You’ve probably seen EchoLeak (CVE-2025-32711) making the rounds. But if you build or secure AI-powered features, don’t just scroll past it. This was a zero-click, full-chain exploit against Copilot — and a case study in why traditional AppSec isn’t enough for LLMs. Dive deeper

🚨#CVE-2025-4981 CRITICAL (CVSS=9.9): #Mattermost versions up to 10.5.5, 9.11.15, 10.8.0, 10.7.2, and 10.6.5 are vulnerable to arbitrary file write via path traversal in the archive extractor. Authenticated users can achieve #RCE by uploading malicious archives. This is enabled

🚨#CVE-2025-1793: Multiple vector store integrations in #AI library llama_index, versions prior to 0.12.28 are vulnerable to SQL injection. Attackers can read and write data from/to any of the affected vector stores by using SQL, potentially leading to unauthorized access to the

Worried about missing our longer-form content in the sea of social media? You can subscribe to updates by email (without any fear of getting hit with marketing emails); go to and click the envelope icon to subscribe to updates!.

RT @Checkmarx: "@CheckmarxZero uncovered two malicious campaigns targeting Python & #npm users looking for the popular #Colorama and #Color….

Colorama campaign may be multiple threat actors: ultimate attribution is unclear at the moment. There seems to have been an attempt to leverage confusion on an NPM package `colorizr`, but within the PyPI ecosystem -- this is unusual. Behavior patterns are consistent with a.

We uncovered a #SoftwareSupplyChain attack targeting users of #Python `colorama` package through #NameConfusion (similarly-named packages). #Malware for Windows and Linux has moderate stealth features and create persistent remote access for attackers. Affected packages no longer.

🚨#CVE-2025-41232: #SpringSecurity versions 6.4.0 through 6.4.5 may not correctly locate method security annotations on private methods, leading to Authorization bypass. Your application may be affected if you're using @EnableMethodSecurity(mode=ASPECTJ), spring-security-aspects,

🚨 #CVE-2025-47277 (#CVSS=9.8, #EPSS=0.05%): #Python #LLM inference and serving module 'vLLM' versions 0.6.5 through 0.8.4 are vulnerable to Remote Code Execution (#RCE) via unsafe deserialization in the PyNcclPipe service. Attackers can exploit this #vulnerability to execute.

#CVE-2025-4641 CRITICAL (CVSS=9.3)… or is it? Java #WebDriverManager for #Selenium has an #XXE vuln, but as a dev tool, it's unlikely you're using it where an adversary could exploit it. It's still a good idea to update to at least 6.0.2, but probably #DontPanic.

🚨#CVE-2025-4664: Chrome vulnerability prior to 136.0.7103.113 allows attackers to leak cross-origin data via the img tag src attribute. When Chrome loads these attacker-controlled image URLs, the endpoint returns Link headers with 'unsafe-url' referrer-policy, causing a referer.

Python #PEP770 has been accepted, which means there's now a standard way to include #SBOM documents in #Python packages. This is great news, but there's also some care required whether you produce or consume PEP-770 compatible packages. Learn more about it from Checkmarx Zero:.

This #Langflow vulnerability is getting some new attention because it appeared in the #KEV (Known Exploited #vulnerability); if you aren't patched yet, you'll probably want to accelerate that.

🚨 Critical #RCE (#CVE-2025-32444) in #vLLM Python package, versions 0.6.5 through 0.8.4. Unsafe deserialization over exposed ZeroMQ sockets when using vLLM with #Mooncake. Vulnerable sockets listening on all interfaces make it easier to attack. Update to 0.8.5 ASAP to protect.

"43% of disclosed cloud-infrastructure secrets are Google Cloud API keys" (2025 #DBIR). Sounds about right. That's why our Too Many Secrets (2MS) free and #opensource tool detects those in code, chats, etc. And it safely checks to see if they're currently active so you don't.

fortunately this site is now clearly marked as a joke, and flagged by the major safe browsing tools. But it wasn’t earlier and we’re not sure whether to laugh or cry… #phishing #security #training

Critical #CVE-2025-30215 in #NATSio Server—common for #IoT and distributed cloud-native platforms. Exploit of #vulnerable API leads to product outages, sensitive data leaks, and reputation damage. Update to 2.10.27 / 2.11.1 immediately! See for detail.