
Checkmarx Zero
@CheckmarxZero
Followers
194
Following
18
Media
110
Statuses
236
Checkmarx Zero Working to Keep the Open Source Ecosystem Safe https://t.co/3yB6kPHV9B
Joined April 2022
Oops—even old #RCE can come back and bite you. Call of Duty: WWII (2017) exploited soon after it gets new life on Game Pass, and the RCE used to harass players; had to be pulled offline to investigate and hopefully repair. Remember this next time someone tells you "we don't.
0
1
2
Data leaking #MCP Server, tricking IDE's into showing malicious extensions as verified, and a #DoS in #nextjs — #LastWeekInAppSec.. #AppSec #vulnerability #AI #Cybersecurity
0
0
1
🚨#CVE-2025-4981 CRITICAL (CVSS=9.9): #Mattermost versions up to 10.5.5, 9.11.15, 10.8.0, 10.7.2, and 10.6.5 are vulnerable to arbitrary file write via path traversal in the archive extractor. Authenticated users can achieve #RCE by uploading malicious archives. This is enabled
0
0
0
RT @Checkmarx: "@CheckmarxZero uncovered two malicious campaigns targeting Python & #npm users looking for the popular #Colorama and #Color….
0
2
0
We uncovered a #SoftwareSupplyChain attack targeting users of #Python `colorama` package through #NameConfusion (similarly-named packages). #Malware for Windows and Linux has moderate stealth features and create persistent remote access for attackers. Affected packages no longer.
1
3
3
🚨#CVE-2025-41232: #SpringSecurity versions 6.4.0 through 6.4.5 may not correctly locate method security annotations on private methods, leading to Authorization bypass. Your application may be affected if you're using @EnableMethodSecurity(mode=ASPECTJ), spring-security-aspects,
0
0
0
#CVE-2025-4641 CRITICAL (CVSS=9.3)… or is it? Java #WebDriverManager for #Selenium has an #XXE vuln, but as a dev tool, it's unlikely you're using it where an adversary could exploit it. It's still a good idea to update to at least 6.0.2, but probably #DontPanic.
0
0
0
🚨#CVE-2025-4664: Chrome vulnerability prior to 136.0.7103.113 allows attackers to leak cross-origin data via the img tag src attribute. When Chrome loads these attacker-controlled image URLs, the endpoint returns Link headers with 'unsafe-url' referrer-policy, causing a referer.
0
0
1
This #Langflow vulnerability is getting some new attention because it appeared in the #KEV (Known Exploited #vulnerability); if you aren't patched yet, you'll probably want to accelerate that.
Using #Langflow? CRITICAL VULN (#CVE-2025-3248 with CVSS v3 = 9.8) in this low-code developer tool for rapid creation of #AI agents allows adversaries to execute arbitrary code thanks to missing authentication from an #API endpoint. Update to 1.3.0 or newer!
0
2
3
"43% of disclosed cloud-infrastructure secrets are Google Cloud API keys" (2025 #DBIR). Sounds about right. That's why our Too Many Secrets (2MS) free and #opensource tool detects those in code, chats, etc. And it safely checks to see if they're currently active so you don't.
0
0
1
Critical #CVE-2025-30215 in #NATSio Server—common for #IoT and distributed cloud-native platforms. Exploit of #vulnerable API leads to product outages, sensitive data leaks, and reputation damage. Update to 2.10.27 / 2.11.1 immediately! See for detail.
0
0
0