Join Johannes Ullrich at the Internet Storm Center where threat levels are as green as your favorite salad. Dive into Application Security this July in Washington and arm yourself with the skills to secure web apps, APIs, and microservices. Don’t miss the chance to laugh at vulnerabilities and learn with the pros!

AWS Amplify Studio’s amplify-codegen-ui had a hiccup with input validation. A user could execute arbitrary JavaScript, potentially turning your app into a digital circus. The fix? Upgrade to version 2.20.3 and ensure your code is as patched as your favorite quilt. Stay secure, folks!

CISA’s added a new vulnerability, CVE-2025-3248, to its Known Exploited Vulnerabilities Catalog. This Langflow Missing Authentication Vulnerability is a hacker’s delight, posing risks to federal systems. While the directive targets federal agencies, CISA advises all organizations to tackle these vulnerabilities promptly to fend off cyber shenanigans.

Unleash your inner cryptographer with Didier Stevens’ GitHub project challenge. Decode a secret message hidden in a PNG image of a stegosaurus using steganography tools. If you’re stuck, don’t worry; a hint awaits in ROT13. Get ready to test your skills and solve the puzzle before the solution drops next Saturday!

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog. These vulnerabilities, including the CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability, are prime targets for cyberattacks. Agencies are urged to prioritize their remediation to avoid the dreaded “Oops! We got hacked” moment.

Agentic applications are embracing AI agents to autonomously collect data and take actions—like that one friend who always knows what you need before you do! But as these AI agents strut their stuff in the real world, security implications take center stage. This article dives into nine attack scenarios that could leave your data exposed…

CISA has added CVE-2024-38475 and CVE-2023-44221 to its Known Exploited Vulnerabilities Catalog. These vulnerabilities are like uninvited guests at a party—nobody wants them, but they still manage to cause chaos. Prioritize their eviction to protect your network from cyber shenanigans!

View CSAF: MicroDicom’s DICOM Viewer might just be the ultimate party crasher in your system with vulnerabilities like out-of-bounds write and read. While it won’t bring chips and dip, it could allow attackers to execute arbitrary code and cause memory corruption. Update now to avoid any uninvited guests!

View CSAF: KUNBUS Revolution Pi is under siege! With vulnerabilities offering attackers a VIP pass to bypass authentication, execute malicious server-side includes, and more, it’s time to batten down the digital hatches. Update to PiCtory 2.12 and remember, even in cyberspace, it’s better to be safe than hacked!

CISA released two ICS advisories on May 1, 2025, spilling the beans on security issues and vulnerabilities. It’s like receiving a gossip column—only this time, it’s about Industrial Control Systems.

Microsoft NTLM Hash Disclosure Spoofing, reported in 2018, was initially dismissed. Fast forward seven years, and voilà—it’s finally recognized as a security flaw, now with its own CVE-2025-24054. A classic tale of “better late than never,” proving that sometimes even tech giants need a nudge (or a seven-year nap).

The Daikin Security Gateway 214 has a vulnerability that allows remote password reset. An unauthenticated attacker can exploit an IDOR flaw, resetting system credentials back to the default Daikin:Daikin combo. This opens the gateway to unauthorized access and potential compromise of connected devices.

Discover how an .xrm-ms file can serve as a Trojan horse, making NTLM Hash Disclosure as easy as pie. With just a click, these files prompt an outbound connection to a hacker’s domain, leaking NTLM hashes faster than you can say “Windows vulnerability.” Spoiler alert: Not even Outlook sees it coming.

Breaking news: ZTE ZXV10 H201L routers are giving hackers a free backstage pass to your network! Thanks to an authentication bypass, remote code execution is now easier than pie. So, if your router starts ordering pizza without your consent, don’t be surprised! Just another day in the world of tech exploits.

If you’ve been wondering how to decode a hidden message in your vacation photos, pngdump.py might not be the hero you need. But fear not! Format-bytes.py is here to save the day, extracting individual bits faster than you can say “steganography.” Get ready for a byte-sized adventure in digital sleuthing!

Beware the .xrm-ms file! It’s like the Trojan horse of NTLM hash disclosure, sneaking in through your Microsoft browsers and leaving your network security having an existential crisis. Just remember: user interaction is required—so maybe think twice before clicking that suspicious file attachment.

In the world of unzip-stream 0.3.1, arbitrary file write is less a feature and more a comedic plot twist. Just one zip and you’ll be rewriting files like a deranged novelist with CVE-2024-42471 as your trusty pen name. Remember, always back up your files—or your punchlines—before attempting this at home!

Join the Internet Storm Center’s comedic ride as Guy Bruneau keeps the threat level at green—an IT equivalent of a “no news is good news” kind of day. Risk-averse? Register for the Application Security class in San Diego for a crash course in securing web apps, APIs, and microservices!

SonicWall’s zero-day vulnerabilities are like the gift that keeps on giving—except no one wants it. After a year of lurking in obscurity, reports are now pouring in like confetti at a surprise party you didn’t RSVP to. Hold onto your firewalls, folks; this cyber-shindig is just getting started!

CISA adds CVE-2025-31324 to its Known Exploited Vulnerabilities Catalog, spotlighting SAP NetWeaver’s Unrestricted File Upload Vulnerability. This is a cybercriminal’s dream buffet, urging FCEB agencies to patch up pronto. Remember, timely remediation is key unless you want to end up as the punchline of a hacker’s joke!