-
A critical security vulnerability has been discovered in the Angular framework that could allow attackers to steal sensitive user security tokens. The vulnerability, tracked as CVE-2025-66035, affects the Angular HttpClient and involves the accidental leakage of Cross-Site Request Forgery (XSRF) tokens. Angular applications use a built-in protection mechanism to prevent Cross-Site Request Forgery (CSRF) attacks. Angular HTTP Client […] The post Angular HTTP Client Vulnerability Exposes XSRF Token to an Attacker-Controlled Domain appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A threat actor operating under the alias ResearcherX has posted what they claim to be a full‑chain zero‑day exploit targeting Apple’s recently released iOS 26 operating system. The listing, which appeared on a prominent dark web marketplace, alleges that the exploit leverages a critical memory‑corruption vulnerability within the iOS Message Parser. If proven genuine, this […] The post Threat Actors Allegedly Listed iOS 26 Full‑Chain 0‑Day Exploit on Dark Web appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A newly discovered critical vulnerability in the Next.js framework allows attackers to crash self-hosted servers using a single HTTP request, requiring negligible resources to execute. Discovered by researchers at Harmony Intelligence, the denial-of-service (DoS) flaw affects widespread versions of the framework, including the latest 15.x branch prior to the patch. The vulnerability resides in the […] The post New Unauthenticated DoS Vulnerability Crashes Next.js Servers with a Single Request appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A significant issue has been disclosed that affects multiple versions of the identity and access management platform. The flaw stems from a hardcoded default encryption key used for password storage, allowing attackers with database access to recover plaintext passwords. The vulnerability impacts Apache Syncope when configured to store user passwords in the internal database with […] The post Apache Syncope Vulnerability Allows Attacker to Access Internal Database Content appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical security flaw has been discovered in HashiCorp’s Vault Terraform Provider that could allow attackers to bypass authentication and access Vault without valid credentials. The vulnerability, tracked as CVE-2025-13357, affects organizations using LDAP authentication with Vault. The security issue stems from an incorrect default configuration in Vault’s Terraform Provider. Specifically, the provider set the deny_null_bind parameter […] The post HashiCorp Vault Vulnerability Allow Attackers to Authenticate to Vault Without Valid Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical remote code execution (RCE) vulnerability in Microsoft’s Update Health Tools (KB4023057). A widely deployed Windows component designed to expedite security updates through Intune. The flaw stems from the tool connecting to dropped Azure Blob storage accounts that attackers could register and control. How the Vulnerability Works The vulnerability exists in version 1.0 of the Update […] The post Microsoft’s Update Health Tools Configuration Vulnerability Let Attackers Execute Arbitrary Code Remotely appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
NVIDIA has disclosed two critical code injection vulnerabilities affecting its Isaac-GR00T robotics platform. The vulnerabilities, tracked as CVE-2025-33183 and CVE-2025-33184, exist within Python components and could allow authenticated attackers to execute arbitrary code, escalate privileges, and alter system data. The flaws pose a significant threat to organizations deploying NVIDIA’s robotics solutions across industrial automation, research […] The post NVIDIA’s Isaac-GROOT Robotics Platform Vulnerability Let Attackers Inject Malicious Codes appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A proof-of-concept exploit has been publicly released for CVE-2025-9501, a critical, unauthenticated command-injection vulnerability affecting W3 Total Cache, one of WordPress’s most widely deployed caching plugins. With over 1 million active installations, the vulnerability poses a significant risk to countless websites worldwide. RCE Security discovers that the flaw exists in W3 Total Cache’s dynamic content […] The post PoC released for W3 Total Cache Vulnerability that Exposes 1+ Million Websites to RCE Attacks appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Tenda N300 wireless routers and 4G03 Pro portable LTE devices face severe security threats from multiple command injection vulnerabilities that allow attackers to execute arbitrary commands with root privileges. The affected devices currently lack vendor patches, leaving users vulnerable. The vulnerabilities stem from improper handling of user input within critical service functions on these Tenda […] The post Tenda N300 Vulnerabilities Let Attacker to Execute Arbitrary Commands as Root User appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A concerning vulnerability in DeepSeek-R1, a Chinese-developed artificial intelligence coding assistant. When the AI model encounters politically sensitive topics related to the Chinese Communist Party, it produces code with severe security flaws at rates up to 50% higher than usual. Released in January 2025 by Chinese AI startup DeepSeek, the R1 model initially appeared comparable […] The post DeepSeek-R1 Makes Code for Prompts With Severe Security Vulnerabilities appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
