XSS
-
Researchers find flaw that could let websites inject prompts into Anthropic’s Claude Chrome extension
Researchers disclosed a flaw called ShadowPrompt in Anthropic’s Claude Chrome extension that combined an overly permissive origin allowlist and a DOM-based XSS in an Arkose Labs CAPTCHA, allowing websites to inject prompts; Anthropic and Arkose issued fixes in December 2025 and February 2026.
-
XSS flaw in StealC control panel exposed sessions and millions of cookies
An XSS flaw in the StealC control panel let outsiders harvest system fingerprints, active sessions and cookies. Researchers recovered over 5,000 logs with about 390,000 passwords and more than 30 million cookies.
-
Fortinet, Ivanti and SAP issue urgent patches for critical authentication and code execution flaws
Fortinet, Ivanti and SAP released urgent security updates for multiple critical flaws, including authentication bypass and remote code execution bugs; administrators are urged to apply patches and temporary mitigations promptly.
-
CISA adds OpenPLC ScadaBR XSS flaw to Known Exploited Vulnerabilities list amid active attacks
CISA added CVE-2021-26829, a cross-site scripting flaw in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation tied to a hacktivist operation; Forescout and VulnCheck reported related intrusions and a sustained OAST-driven exploit campaign.
-
Microsoft to block unauthorized scripts on Entra ID sign-ins with CSP update
Microsoft will change the Content Security Policy for browser-based Entra ID sign-ins at login.microsoftonline.com to block unauthorized scripts and allow only trusted Microsoft domains, with a global rollout beginning mid-to-late October 2026; organisations are asked to test sign-in flows and avoid tools that inject code.
-
Zimbra zero-day reportedly used to target Brazilian military, report says
A stored cross-site scripting flaw in Zimbra Collaboration (CVE-2025-27915) was exploited in attacks that targeted the Brazilian military using malicious ICS calendar files, a StrikeReady Labs report said; Zimbra issued patches in January 2025.
-
Adobe Issues Major Security Patch Addressing 254 Vulnerabilities in Software Products
Adobe has released updates addressing 254 vulnerabilities, including major flaws in the Experience Manager (AEM) with implications for arbitrary code execution and privilege escalation, urging users to update to safeguard their systems.
-
Critical XSS Vulnerability in Zimbra Collaboration Suite Exploited by Hackers
A critical XSS vulnerability (CVE-2024-27443) has been discovered in Zimbra’s CalendarInvite feature, exploited by the Sednit hacking group. Users are urged to patch their systems urgently.
-
Russian Hackers Exploit Old Vulnerabilities to Target Global Mail Servers
Security firm ESET reports that hackers, likely linked to the Russian government, have exploited long-standing cross-site scripting vulnerabilities to breach multiple high-value mail servers globally, with significant implications for defense contractors in Eastern Europe.
-
Exploration of Security Vulnerabilities: How Minor Weaknesses Can Lead to Major Breaches
A recent report highlights how minor security vulnerabilities can significantly escalate into major breaches. An analysis by Intruder illustrates cases of SSFR, SQL injection, XSS, and API exploitation, revealing the need for robust security practices.
