The Hacker News

Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website

Claude extension flaw enabled silent prompt injection via XSS and weak allowlist, risking data theft and impersonation until ...
Bleeping Computer

Undisclosed Apache Velocity XSS vulnerability impacts GOV sites

An undisclosed Cross-Site Scripting (XSS) vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days ...
Searchenginejournal.com

Elementor WordPress Contact Form Plugin Vulnerability Exposes Up To 200,000 Sites

The United States National Vulnerability Database published an advisory of an XSS vulnerability affecting the popular Metform Elementor Contact Form Builder, which exposes over 200,000 active installs ...
Dark Reading

Cross-Site Scripting Errors Continue to Be Most Common Web App Flaw

Cross-site scripting (XSS) errors that allow attackers to inject malicious code into otherwise benign websites continue to be the most common web application vulnerability across organizations. Bug ...
Dark Reading

Microsoft Azure HDInsight Plagued With XSS Vulnerabilities

Microsoft, already under scrutiny for its cloud security practices, recently patched as many as eight severe vulnerabilities in various Apache services in Azure HDInsight — the software giant's ...
WeLiveSecurity

Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers

ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS ...