web security

An encoding flaw in Apache HTTP Server’s mod_proxy can let crafted requests slip past intended authentication checks and reach backend services, potentially exposing protected resources — operators should treat this as an urgent configuration and patch-management issue and update affected...

A deceptively small parsing flaw in the popular Python WSGI utility library Werkzeug can be turned into a powerful denial-of-service weapon: specially crafted multipart/form-data uploads that start with a carriage return (CR) or line feed (LF), followed by megabytes of data without additional...

CVE‑2023‑39319 is a real, exploitable weakness in Go’s html/template package that can allow a carefully crafted input to defeat the package’s escaping rules inside <script> contexts and open the door to reflected or stored cross‑site scripting (XSS); Microsoft’s public advisory identifies Azure...

AI browsers promise to compress research, shopping and complex workflows into a single conversational surface — but they also expand the web’s attack surface, upend traffic economics, and demand far more cautious deployment than traditional browsers ever did. rview The web has spent three...

A short, suspicious instruction — “How To Fix Windows 11 Update Error Please Click The Following Post (rZNeVvHpL2) — Leaders.com.tn” — paired with a buried FCKeditor connector URL that points at n1.trustgo.top is not the sort of thing any Windows user should click without stopping to inspect it...

When a Bloomberg article returned a terse “Please make sure your browser supports JavaScript and cookies…” interstitial instead of the story you expected, the message was not a random browser wobble — it was an intentional anti‑bot and security measure deployed by the publisher (and by the edge...

Windows PowerShell 5.1 now stops and asks for confirmation before it will parse web pages in a way that could execute scripts found in that content — a safety-first change that will affect interactive use and any automation that previously relied on the old, IE‑backed HTML DOM parsing behavior...

The disclosure of CVE-2021-23445 exposes a subtle but consequential Cross‑Site Scripting (XSS) weakness in the popular DataTables library: versions of datatables.net prior to 1.11.3 fail to escape array contents passed into the HTML escape routine, allowing unescaped HTML/JavaScript to reach a...

A silent boundary-check mistake in a widely used networking library has resurfaced a familiar security lesson: small parsing errors in C can still bite large ecosystems. In September 2025 the curl project disclosed CVE-2025-9086, an out-of-bounds read in cookie path handling inside libcurl that...

CISA’s addition of CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) Catalog escalates a maximum-severity remote code execution risk in React Server Components into an operational emergency for federal networks and a critical remediation priority for every organization that hosts...

The Werkzeug safe_join vulnerability tracked as CVE-2025-66221 lets Windows-only special device names (for example, CON, AUX, NUL, COMx, LPTx) slip past path validation and be treated like ordinary files — a behavior that allowed web endpoints using send_from_directory to open a device path and...

Nearly three decades after it first put a blue “e” on the map, Microsoft retired the Internet Explorer desktop application in mid‑2022 and redirected its legacy responsibilities into Microsoft Edge — a strategic and technical decision driven as much by modern web standards, security, and...

A newly cataloged security feature bypass in ASP.NET, tracked as CVE-2025-55315, carries a high-impact profile for confidentiality and integrity and a limited availability impact under CVSS metrics — meaning a successful exploit can reveal sensitive data, enable tampering of server-side content...

When your browser responds with “The requested URL was rejected. Please consult with your administrator,” the message is rarely a mysterious, unsolvable fault — it most often signals a deliberate refusal by an intermediary (browser profile, proxy, firewall, CDN, or web application firewall) to...

Mozilla’s decision to keep Firefox 115 ESR alive for older machines is the latest twist in a multi-stage, pragmatic approach to supporting users who remain on end-of-life operating systems — the Extended Support Release for Firefox 115 will now be maintained for Windows 7, Windows 8/8.1 and...

Chrome’s September security update closes a high-severity use-after-free vulnerability in the V8 JavaScript engine — tracked as CVE-2025-9864 — that could allow an attacker to corrupt memory and potentially achieve remote code execution through a crafted web page, and administrators of...

Palo Alto Networks has pushed a clear marker in the SASE arms race with the launch of Prisma SASE 4.0, a major platform refresh that explicitly frames the next phase of enterprise security as AI versus AI — protecting organizations not only from AI-augmented attackers, but from the uncontrolled...

CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog adds three actively exploited flaws — a Linux kernel TOCTOU race condition, an Android Runtime issue, and a high‑impact Sitecore deserialization vulnerability — forcing organizations that track KEV and federal agencies...

ESET Research has uncovered a previously undocumented threat actor it calls GhostRedirector, which in June 2025 was found to have compromised at least 65 Windows servers across multiple countries and deployed two custom tools — a C++ backdoor named Rungan and a native IIS module named Gamshen...

Microsoft Edge's experimental Scareware Blocker is graduating from a single-user popup interrupter to a broader, system-strengthening feature that can block scam sites and — in the Canary channel — optionally share detected scam links and classifications with Microsoft’s Defender SmartScreen...