More than 46,000 internet-facing Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows executing a malicious plugin and account takeover.
The flaw is tracked as CVE-2025-4123 and impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.
The vulnerability was discovered by bug bounty hunter Alvaro Balada and was addressed in security updates that Grafana Labs released on May 21.
In April 2024, I discovered a high-severity vulnerability in Visual Studio Code (VS Code <= 1.89.1) that allows attackers to escalate a Cross-Site Scripting (XSS) bug into full Remote Code Execution (RCE)—even in Restricted Mode.
The desktop version of Visual Studio Code runs on Electron. Renderer processes are sandboxed and communicate with the main process through Electron’s IPC mechanism.
An XSS vulnerability in the newly-introduced minimal error rendering mode for Jupyter notebooks enables arbitrary JavaScript code to be executed within the vscode-app WebView for the notebook renderer. The vulnerability can be triggered by opening a crafted .ipynb file if the user has the setting enabled, or by opening a folder containing a crafted settings.json file in VS Code and opening a malicious ipynb file within the folder. This vulnerability can be triggered even when Restricted Mode is enabled (which is the default for workspaces that have not been explicitly trusted by the user).
In this post, we’ll walk through how the bug works and how it bypasses VS Code’s Restricted Mode.
Threat actors have been exploiting a vulnerability in the Roundcube Webmail client to target government organizations in the Commonwealth of Independent States (CIS) region, the successor of the former Soviet Union.
A novel command execution technique dubbed 'GrimResource' uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console.
We have observed active exploitation attempts targeting three high-severity CVEs: CVE-2024-2194, CVE-2023-6961, and CVE-2023-40000.
Joomla maintainers have addressed multiple flaws in the popular content management system (CMS) that can lead to execute arbitrary code
Insikt Group has observed TAG-70 leveraging cross-site scripting (XSS) vulnerabilities against Roundcube webmail servers in Europe, targeting government, military, and national infrastructure.
TAG’s discovery of a 0-day exploit used to steal email data from international government organizations.
The Winter Vivern Russian hacking group has been exploiting a Roundcube Webmail zero-day since at least October 11 to attack European government entities and think tanks.
ESET Research discover campaigns by the Winter Vivern APT group that exploit a zero-day XSS vulnerability in the Roundcube Webmail server and target governmental entities and a think tank in Europe.
The Sonar Research team discovered critical code vulnerabilities in Proton Mail, Skiff and Tutanota. This post covers the technical details of the XSS vulnerability in Proton Mail.
Microsoft addressed two XSS vulnerabilities in Azure Bastion and Azure Container Registry (ACR) leading to unauthorized access to sessions.
The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing ...Read More
The time for attackers to respond to known vulnerabilities is shrinking. See an example of an attacker using sample code.
The Akamai Security Intelligence Group (SIG) has been analyzing attack attempt activity following the announcement of a critical vulnerability in a WordPress custom fields plug-in affecting more than 2 million sites.
Exploiting this vulnerability could lead to a reflected cross-site scripting (XSS) attack, in which malicious code is injected into a victim site and pushed to its visitors.
On May 4, 2023, the WP Engine team announced the security fix in version 6.1.6, including sample exploit code as a proof of concept (PoC).
Starting on May 6, less than 48 hours after the announcement, the SIG observed significant attack attempt activity, scanning for vulnerable sites using the sample code provided in the technical write-up.
This highlights that the response time for attackers is rapidly decreasing, increasing the need for vigorous and prompt patch management.
Rafie Muhammad (Patchstack) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Advanced Custom Fields PRO Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 6.1.6.
On Thursday, the Jenkins security team announced 34 security vulnerabilities affecting 29 plugins for the Jenkins open source automation server, 29 of the bugs being zero-days still waiting to be patched.
Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc.
In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. This attack vector is not new, but it is unknown to many people and as we investigated further we found that the dangers were extensive. In this post, the GoSecure Titan Labs team will demonstrate that using a browser password manager with autofill could expose your credentials in a web application vulnerable to XSS.
