Dataproof Communications

Push Security has uncovered a new AiTM phishing campaign targeting TikTok for Business accounts using Google and TikTok themed login pages - Read more

Socket and Endor Labs discovered a new TeamPCP campaign leading to the delivery of credential-stealing malware - Read more

Langflow - Path Traversal Arbitrary File Write via upload_user_file The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../'). Joshua Martinelle Fri, 03/27/2026 - 10:51 - Read more

Langflow - Stored XSS via Malicious SVG Upload The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content.Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies,...

Langflow - Application Logs Exposed to All Authenticated Users The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). Joshua Martinelle Fri, 03/27/2026 - 10:37 - Read more

Langflow - Missing Authorization on download_image endpoint The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name. Joshua Martinelle Fri, 03/27/2026 - 10:29 - Read more

For years, cybersecurity professionals have relied on a familiar metric to dictate their day-to-day priorities: the Common Vulnerability Scoring System (CVSS). In today’s hyper-connected, sprawling IT environments, utilizing a static severity score as the ultimate arbiter of risk creates opportunities for threat actors. While defenders chase down theoretical, high-scoring alerts, adversaries are quietly targeting the truly exploitable, business-critical exposures...

Botpress - Credential Disclosure via Twilio Webhook Handler The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'.When processing media messages, it fetches user-controlled URLs ('MediaUrlN' parameters) using HTTP requests that include the integration's Twilio credentials in the 'Authorization' header.An attacker can forge a webhook payload pointing to their own server and receive the victim's 'accountSID'...

See what you missed in Daily Tech Insider from March 23–27. The post AI Upgrades, Security Breaches, and Industry Shifts Define This Week in Tech appeared first on TechRepublic. - Read more

Google patches eight high-severity Chrome vulnerabilities affecting 3.5 billion users. Here’s why you should update and relaunch your browser now. The post Google Issues High-Risk Security Patch for 3.5 Billion Chrome Users: What You Need to Know appeared first on TechRepublic. - Read more