OWASP, XSS, SQLi & Web Application Security · 41 Artikel
How CVE volume, known-exploited counts and time-to-exploit all changed shape across the LLM build-out and why defenders are now on the wrong side of the clock. In 2018 the world published about 18,000 CVEs and the average vulnerability took roughly two months to get exploited after it went public....
A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty...
The security findings that end up in incident post-mortems rarely looked dangerous in the PR that introduced them. Not because anyone was careless but because there's nothing in the change that looks wrong. The code does exactly what it says but the problem is in how the app behaves once it's...
Bug bounty research inadvertently led organizations to believe they were being breached through their ServiceNow instances.
Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]
Anthropic's Mythos is accelerating vulnerability discovery to machine speed, forcing the bug bounty industry and offensive security teams to adapt to a future where finding flaws is no longer the hard part. The post Will AI Kill the Bug Bounty Industry? appeared first on SecurityWeek.
CVE Lite CLI is a free, open-source command line tool that scans your projects in seconds and tells you exactly which included packages contain a vulnerability. The post OWASP Incubator Project Helps Developers Find and Fix Vulnerable Dependencies in Seconds appeared first on SecurityWeek.
Our first engineering post covered prompt caching, the infrastructure change that made long-running agentic tasks economically viable. That post assumed a multi-step, multi-agent system already existed. It did not exist on day one. When we started building Neo, the product was a single agent with a...
New article: “Responsible Disclosure in the Age of AI: A Call for Urgent Action,” by Melissa Hathaway. Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation. Frontier AI models are now capable of autonomously identifying exploitable...
CubeCart < 6.7.0 - Reflected Cross-Site Scripting (XSS) (Unauthenticated)
DockSec, an OWASP incubator project, correlates findings from multiple container security scanners and uses AI to generate plain-English remediation guidance and exact Dockerfile fixes. The post Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images appeared first on...
Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when...
Most AI security tooling shipped over the last year focuses on one of two workflows, code review at PR time or zero-day research in open-source software. Models in PR pipelines now flag insecure patterns at every commit and autonomous research runs have produced more zero-days across open-source...
Insufficient validation and authentication in the Secure Workload’s REST APIs provide remote attackers with Site Admin privileges. The post Cisco Patches Critical Vulnerability in Secure Workload appeared first on SecurityWeek.
CVE-2026-42897 stems from a cross-site scripting (XSS) vulnerability and can allow an attacker to compromise Outlook Web Access (OWA) mailboxes.
On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. [...]
"Se c'è un proiettile in canna e premi il grilletto, sparerà". È questo l'ultimo consiglio dato da ChatGpt a Phoenix Ikner, appena quattro minuti prima di compiere una strage alla Florida State University lo scorso anno. Nella sparatoria co ... (https://incidentdatabase.ai/cite/1487#7284)
OpenAI, la società proprietaria del software di intelligenza artificiale ChatGPT, ha fatto sapere che lo scorso giugno aveva valutato se segnalare alla polizia canadese Jesse Van Rootselaar, la persona di 18 anni che l'11 febbraio ha ucciso ... (https://incidentdatabase.ai/cite/1375#7247)
An enterprise with a long-running public bug bounty shipped a major release. Weeks later, a critical SQL injection surfaced in an authenticated reporting path. More than ten thousand PII records and clear-text card data were reachable via crafted queries. The vulnerable code sat behind role checks...
Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library. 🚀 April Stats Release New Templates CVEs Added First-time...
Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One...
The malware framework targets web applications and cloud environments, including AWS, Docker, Kubernetes, and more. The post ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials appeared first on SecurityWeek.
Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
deephas 1.0.7 - Prototype Pollution
HAX CMS 24.x - Stored Cross-Site Scripting (XSS)
Neue Forschung von ProjectDiscovery zeigt, dass die Entwicklung mit KI-Assistenten beschleunigt wird, während sich Sicherheitspraktiker überfordert fühlen. Die Anzahl und Größe der Codeänderungen wächst schneller als die Kapazität der Sicherheitsteams, um diese zu überprüfen. Entwickler sollten sicherstellen, dass AI-Generierte Codesicherheit integriert ist, indem sie regelmäßige Sicherheitsprüfungen durchführen und spezifische Richtlinien für KI-basierte Codegenerierung einsetzen.
Neo, ein Sicherheitstool, hat 33 oder mehr echte CVEs in Open-Quell-Projekten identifiziert und sich bei weißschleusiger Sicherheitsprüfung als fähig erwiesen. Nun wurde gezeigt, dass Neo auch als Black-Box-DAST-Agent effektiv arbeitet, indem es nur mit einer URL operiert und keine Quelldateien oder Architekturinformationen benötigt. Entwickler sollten Neo für externe Angriffsszenarien ohne Zugriff auf interne Systemdetails einsetzen.
Davis Franklin aus einer Webinaraufzeichnung betonte den Unterschied zwischen der Erkennung von Sicherheitslücken mit Hilfe eines LLM und dem Betreiben eines ausgereiften Sicherheitssystems. Die Plattform Neo soll diesen Unterschied überbrücken, indem sie eine funktionsfähige Prototypenentwicklung ermöglicht, die innerhalb von 30 Minuten realisiert werden kann und echte Schwachstellen findet. Nutzer sollten jedoch bedenken, dass ein vollständiges Sicherheitsprogramm mehr als nur einen einfachen DIY-Ansatz erfordert.