🔥Telegram İfşa

Let's go!

Do you think someday we'll need to explain to kids that things in the past had to be activated by pressing a button? #future #Technology #curiosity

AI can be fun 😆 #ArtificialInteligence #BreakingBad

One week to go before my #CVSS4 talk at LASCON! ⏳ #AppSec #Cybersecurity #LASCON

It has to meet specific conditions to be exploitable but the impact is still high and Spring is widely used. #AppSec

Last Friday, I had the opportunity to talk about CVSSv4 at #LASCON. It was awesome being there, and even more awesome speaking to such an engaged audience! 🙌 #AppSec #CVE #CVSS4

First observed instance of malware utilizing #Ethereum smart contracts for C2 server address distribution in the #NPM ecosystem. This attack campaign is ongoing, with additional packages connected to the same campaign being continually discovered. Read the full analysis here:

#Symfony reported 8 #CVEs within its ecosystem. CVE-2024-51736 (Windows code execution via hijacked cmd.exe) and CVE-2024-50340 (environment manipulation in PHP) should be prioritized. Update to the latest versions to address these using links in the chat.

🚨‼️ Three new vulnerabilities in #ApacheTomcat including a critical authentication bypass (#CVE-2024-52316 - CVSS 9.8) that allows auth bypass through Jakarta Authentication exception handling. Patched versions are Apache Tomcat 11.0.0, 10.1.31, and 9.0.96.

🚨 Part 3 of the Hugging Face security saga! FastAI? Vulnerable. Flair? Vulnerable. Your favorite ML library? Probably vulnerable... checkmarx.com/blog/free-hugs… #AISecurity #ML #HuggingFace #opensource #supplychainsecurity

🚨 #Django 5.1, 5.0, and 4.2 Affected by SQL Injection in Oracle JSON Operations (CVE-2024-53908) Critical vulnerability discovered in Django's JSON field operations when using Oracle databases. Direct calls to HasKeyLookup are vulnerable to #SQLi when untrusted data is used in

🚨#CVE-2024-53677: #Apache Struts File Upload logic allows attackers to manipulate the file upload params, enabling path traversal. This can lead to #RCE if malicious files are uploaded. Update to v6.4.0 and migrate to the new file upload mechanism.#AppSec bit.ly/3BBeRN5

Hunting is not what we do, it is what we are. However, it is not without challenges. #vulnerability Check out our new blog on vulnerability hunting and its challenges: checkmarx.com/zero-post/unde…

🚨 #SecurityAlert: High-Severity vulnerability in #OpenSSL (CVE-2024-12797). This flaw affects TLS/DTLS connections using raw public keys, potentially allowing man-in-the-middle attacks. Patch now is available to versions 3.4.1, 3.3.3, and 3.2.4. #CheckmarxZero #appsec

#EPSS is now v4. If you use Checkmarx, you're using it automatically. The updated model has many more high-quality data sources of adversarial indicators and other improvements that make it an even more accurate prediction. #AppSec #CheckmarxSecurity

#NextJS CVE-2025-29927 allows an adversary to bypass permissions by “asking nicely”. Polite but devious! Explore with us what makes it a critical #vulnreability checkmarx.com/zero-post/crit…

🚨 CRITICAL ALERT: #IngressNightmare - Four critical #RCE vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) in #NGINX Ingress Controller for Kubernetes with #CVSS 9.8 score. This could affect a massive number of environments! bit.ly/4iKWeXG

Developers can have good intentions to make code evaluation safe with data scope sandboxes; but with #Python those sandboxes are made of glass — and that can lead to surprise #RCE vulnerabilities in your apps! Alex Shleymovich explains how this works and what you can do to stay

Critical #Vulnerability in Apache Parquet (CVE-2025-30065, #CVSS 10.0). Java Library enabling import of big data files allows adversaries to execute arbitrary code by sending malicious data files. devhub.checkmarx.com/cve-details/CV… If you receive Parquet data from untrusted sources, #patch

Using #Langflow? CRITICAL VULN (#CVE-2025-3248 with CVSS v3 = 9.8) in this low-code developer tool for rapid creation of #AI agents allows adversaries to execute arbitrary code thanks to missing authentication from an #API endpoint. Update to 1.3.0 or newer!