Two critical vulnerabilities, CVE-2025-41248 and CVE-2025-41249, have emerged in Spring Security and Spring Framework that could allow attackers to bypass authorization controls in enterprise applications.  These flaws arise when using Spring Security’s @EnableMethodSecurity feature in conjunction with method-level annotations such as @PreAuthorize and @PostAuthorize.  In applications where service interfaces or abstract base classes employ unbounded […] The post Spring Framework Security Flaws Enable Authorization Bypass and Annotation Detection Issues appeared first on Cyber Security News.

A 0-Click Linux Kernel KSMBD RCE Exploit From N-Day Vulnerabilities, achieving remote code execution on a two-year-out-of-date Linux 6.1.45 instance running the kernelspace SMB3 daemon, ksmbd.  By chaining two authenticated N-day flaws, CVE-2023-52440 and CVE-2023-4130, the exploit attains an unauthenticated SLUB overflow and an out-of-bounds heap read primitive, culminating in a user-mode helper invocation and reverse shell […] The post 0-Click Linux Kernel KSMBD RCE Exploit From N-Day Vulnerabilities appeared first on Cyber Security News.

A new Rowhammer attack variant named Phoenix can bypass the latest protections in modern DDR5 memory chips, researchers have revealed. The attack is the first to demonstrate a practical privilege escalation exploit on a commodity system equipped with DDR5 RAM, undermining the assumption that these newer memory modules were immune to such threats. Rowhammer is […] The post New Phoenix Rowhammer Attack Variant Bypasses Protection With DDR5 Chips appeared first on Cyber Security News.

A high-severity vulnerability was identified in LangChainGo, the Go implementation of the popular LLM orchestration framework LangChain.  Tracked as CVE-2025-9556, this flaw allows unauthenticated attackers to perform arbitrary file reads through maliciously crafted prompt templates, effectively exposing sensitive server files without requiring direct system access. Key Takeaways1. CVE-2025-9556, Jinja2 prompt injection enables arbitrary file reads.2. […] The post Critical LangChainGo Vulnerability Let Attackers Access Sensitive Files by Injecting Malicious Prompts appeared first on Cyber Security News.

A critical vulnerability affecting FlowiseAI’s Flowise platform has been disclosed, revealing a severe authentication bypass flaw that allows attackers to perform complete account takeovers with minimal effort.  The vulnerability tracked as CVE-2025-58434 impacts both cloud deployments at cloud.flowiseai.com and self-hosted installations, making it a widespread security concern for organizations using this AI agent-building platform. Key […] The post FlowiseAI Password Reset Token Vulnerability Allows Account Takeover appeared first on Cyber Security News.

A newly introduced feature in ChatGPT that allows it to connect with personal data applications can be exploited by attackers to exfiltrate private information from a user’s email account. The attack requires only the victim’s email address and leverages a malicious calendar invitation to hijack the AI agent. On Wednesday, OpenAI announced that ChatGPT would […] The post ChatGPT’s New Support for MCP Tools Let Attackers Exfiltrate All Private Details From Email appeared first on Cyber Security News.