Hackers have stolen the personal and contact information belonging to over 29.8 million SoundCloud user accounts after breaching the audio streaming platform's systems. [...]

Posted by Yuffie Kisaragi via Fulldisclosure on Jan 26

Dear Art,

Thank you for sharing your detailed evaluation and for pointing out the relevant
sections of the CNA Rules.

Your argument is well reasoned, particularly with respect to the current
guidance on SaaS and exclusively hosted services.

I have forwarded your evaluation to the CNA for further consideration. It will
also be important to understand the vendor’s perspective in light of the points
you raised, especially regarding the...

Posted by Marco Ermini via Fulldisclosure on Jan 26

Hello everyone,

Kindly let me introduce myself. This is the first – and potentially, last – message on this mailing list. I am Marco,
the CISO of EQS Group. Kindly allow me to address some of the statements expressed publicly here.

About the Convercent application

Convercent was acquired by OneTrust in 2021, and in turn, EQS has acquired it from OneTrust at the end of 2024. Before
being acquired by EQS, the Convercent application has not...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-2 >
=======================================================================
title: UART Leaking Sensitive Data
            product: dormakaba registration unit 9002 (PIN pad)
vulnerable version: <SW0039
      fixed version: SW0039
         CVE number: CVE-2025-59109
             impact: medium
homepage:...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-1 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Access Manager
vulnerable version: Multiple firmware and hardware revisions (details below)
fixed version: Multiple firmware and hardware revisions (details below)
         CVE number: CVE-2025-59097,...

Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jan 26

SEC Consult Vulnerability Lab Security Advisory < 20260126-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Kaba exos 9300
vulnerable version: < 4.4.1
fixed version: 4.4.1
CVE number: CVE-2025-59090, CVE-2025-59091, CVE-2025-59092
CVE-2025-59093, CVE-2025-59094, CVE-2025-59095...

beat-access for Windows provided by FUJIFILM Business Innovation Corp. may insecurely load Dynamic Link Libraries.

Archer MR600 provided by TP-Link Systems Inc. contains an OS command injection vulnerability.

A new malware-as-a-service (MaaS) called 'Stanley' promises malicious Chrome extensions that can clear Google's review process and publish them to the Chrome Web Store. [...]

A new malicious campaign mixes the ClickFix method with fake CAPTCHA and a signed Microsoft Application Virtualization (App-V) script to ultimately deliver the Amatera infostealing malware. [...]

Topic: LangChain Core - Serialization Injection to Jinja2 SSTI/RCE Risk: High Text:# Exploit Title: LangChain Core - Serialization Injection to Jinja2 SSTI/RCE # Date: 2025-12-29 # Exploit Author: Mohammed I...

Topic: LangChain Core - Serialization Injection to Jinja2 SSTI/RCE Risk: High Text:# Exploit Title: LangChain Core - Serialization Injection to Jinja2 SSTI/RCE # Date: 2025-12-29 # Exploit Author: Mohammed I...

Topic: LayerSlider 7.9.5 – Unauthenticated SQL Injection Risk: Low Text:LayerSlider WordPress plugin versions between 7.9.11 and 7.10.0 are affected by an unauthenticated SQL Injection vulnerability....

Microsoft has released emergency security updates to patch a high-severity Office zero-day vulnerability exploited in attacks. [...]

Cloudflare has shared more details about a recent 25-minute Border Gateway Protocol (BGP) route leak affecting IPv6 traffic, which caused measurable congestion, packet loss, and approximately 12 Gbps of dropped traffic. [...]

The European Commission is now investigating whether X properly assessed risks before deploying its Grok artificial intelligence tool, following its use to generate sexually explicit images. [...]

Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. [...]

Okta misconfigurations can quietly weaken identity security as SaaS environments evolve. Nudge Security shows six Okta security settings teams often overlook and how to fix them. [...]

The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. [...]

CISA has flagged a critical VMware vCenter Server vulnerability as actively exploited and ordered U.S. federal agencies to secure their servers within three weeks. [...]