#sql-injection

[ follow ]
#denial-of-service #cybersecurity #seo-fraud #ghostredirector #rungan #gamshen #django-security
fromDjango Project
2 days ago

Recent trends in the work of the Django Security Team

We also patched two potential denial-of-service vulnerabilities when handling large, malformed inputs. One exploits inefficient string concatenation in header parsing under ASGI ( CVE 2025-14550). Concatenating strings in a loop is known to be slow, and we've done fixes in public where the impact is low. The other one ( CVE 2026-1285) exploits deeply nested entities. December's vulnerability in the XML serializer ( CVE 2025-64460) was about those very two themes.
Web frameworks
Information security
fromSecurityWeek
2 days ago

Vulnerabilities Allowed Full Compromise of Google Looker Instances

Two Looker vulnerabilities (LookOut) allow attackers with developer permissions to achieve remote code execution, full administrative access, data exfiltration, and potential cross-tenant access.
Web frameworks
fromDjango Project
3 days ago

Django security releases issued: 6.0.2, 5.2.11, and 4.2.28

Upgrade Django 6.0.2, 5.2.11, or 4.2.28 immediately to mitigate multiple vulnerabilities including SQL injection, denial-of-service, timing attacks, and alias injection.
fromThe Hacker News
1 month ago

FreePBX Patches Critical SQLi, File-Upload, and AUTHTYPE Bypass Flaws Enabling RCE

CVE-2025-61675 (CVSS score: 8.6) - Numerous authenticated SQL injection vulnerabilities impacting four unique endpoints (basestation, model, firmware, and custom extension) and 11 affected parameters that enable read and write access to the underlying SQL database CVE-2025-61678 (CVSS score: 8.6) - An authenticated arbitrary file upload vulnerability that allows an attacker to exploit the firmware upload endpoint to upload a PHP web shell after obtaining a valid PHPSESSID and run arbitrary commands to leak the contents of sensitive files (e.g., "/etc/passwd")
Information security
Information security
fromComputerWeekly.com
1 month ago

NCSC warns of confusion over true nature of AI prompt injection | Computer Weekly

Prompt injection attacks against LLMs differ from SQL injection and may be harder to mitigate, increasing risks of data leaks, disinformation, and malicious guidance.
Information security
fromTheregister
5 months ago

New China-aligned crew poisons Windows servers for SEO fraud

GhostRedirector used novel malware to compromise at least 65 Windows servers worldwide to manipulate Google search rankings for gambling sites.
Information security
fromThe Hacker News
5 months ago

GhostRedirector Hacks 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module

GhostRedirector compromises Windows servers to deploy Rungan backdoor and Gamshen IIS module, enabling SEO fraud by manipulating Googlebot responses and executing commands via SQL injection.
Mobile UX
fromArs Technica
7 months ago

Provider of covert surveillance app spills passwords for 62,000 users

A significant security breach exposed sensitive data of 62,000 users due to vulnerabilities in the Catwatchful app.
fromTheregister
7 months ago

Anthropic won't fix a bug in its SQLite MCP server

Anthropic's decision to leave the SQL injection vulnerability unpatched perpetuates a significant security threat to AI agents that depend on their SQLite Model Context Protocol.
Artificial intelligence
Tech industry
fromThe Hacker News
8 months ago

China-Linked Hackers Exploit SAP and SQL Server Flaws in Attacks Across Asia and Brazil

A China-linked threat actor is exploiting critical SAP NetWeaver vulnerabilities against organizations in Asia and Brazil since 2023.
The threat actor targets SQL injection vulnerabilities to infiltrate organizations.
[ Load more ]