appsec.fyi · Sources

infosecurity-magazine.com

11 curated AppSec resources from infosecurity-magazine.com across 6 topics on appsec.fyi.

infosecurity-magazine.com

Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-17.

AI 3 Supply Chain 3 Burp 2 RCE 2 Python 1 SQLi 1
Date Added Resource Excerpt
2026-05-17 2026Researchers Uncover 10 In-the-Wild Prompt Injection Payloads Targeting AI AgentsAIResearchers have discovered 10 prompt injection payloads actively targeting AI agents in the wild. These malicious inputs exploit vulnerabilities in how AI models process prompts, allowing attackers to manipulate their behavior or extract sensitive information. The findings highlight a growing threat to AI security and emphasize the need for robust defenses against such attacks. The article does not state a bug bounty payout amount.
2026-05-14 2026Avada Builder Flaws Expose One Million WordPress SitesSQLiAnalysis of CVE-2026-4782 and CVE-2026-4798 in Avada Builder, two vulnerabilities affecting nearly one million WordPress sites. The arbitrary file read flaw, CVSS 6.5, allows authenticated subscribers to read sensitive files like wp-config.php via the fusion_section_separator shortcode. The time-based SQL injection, CVSS 7.5, impacts sites with deactivated WooCommerce, exploiting an unescaped product_order parameter. Patches were released in versions 3.15.2 and 3.15.3.
2026-05-05 2026Trellix Reveals Unauthorized Access to Source CodeSupply ChainWriteup of Trellix source code breach, highlighting how unauthorized access to security vendor code provides attackers with a roadmap to controls and detections. This incident, linked to a pattern of targeting security vendors and software supply chains, underscores the risks associated with CI/CD gaps and overtrusted build workflows, echoing recent compromises like the Trivy software supply chain attack.
2026-05-01 2026Anthropic Rolls Out Claude Security for AI Vulnerability ScanningAITool for AI-powered application security scanning, Claude Security, utilizes Claude Opus 4.7 to reason about code and identify vulnerabilities by understanding component interactions and data flows, rather than relying solely on pattern matching. It offers scheduled and targeted scans, detailed explanations of findings including confidence ratings and severity, and generates patch instructions. Claude Security integrates with existing audit systems and can send results to platforms like Slack and Jira, aiming to reduce false positives through a multi-stage validation pipeline.
2026-04-29 2026Malicious npm Dependency Linked to AI Assisted Commit Targets Crypto WalletsAISupply ChainLibrary of malicious npm dependencies linked to AI-assisted commits, specifically @validate-sdk/v2 and the PromptMink campaign, targeting crypto wallets. This North Korean state-sponsored actor, Famous Chollima, employed a layered attack structure with legitimate-seeming Web3 utilities hiding malware payloads, evolving from JavaScript to compiled binaries and Rust across Linux and Windows to exfiltrate sensitive data, system information, project folders, and install SSH keys for persistent access.
2026-04-10 2026Critical Vulnerability in Ninja Forms Exposes WordPress SitesRCELibrary detailing an arbitrary file upload vulnerability (CVSS 9.8) in Ninja Forms – File Upload Plugin versions up to 3.3.26. This flaw allows unauthenticated attackers to upload malicious files, including PHP scripts, through insufficient file validation and filename manipulation, potentially leading to remote code execution and full website compromise. The vulnerability was discovered by Sélim Lanouar and patched in version 3.3.27.
2026-04-10 2026Critical PickleScan Vulnerabilities Expose AI Model Supply ChainsPythonWriteup of CVE-2025-10155, CVE-2025-10156, and CVE-2025-10157, three critical vulnerabilities in PickleScan. These flaws enable attackers to bypass model scanning safeguards and distribute malicious AI models by exploiting file extension misclassifications, divergent ZIP archive handling between PickleScan and PyTorch, and evasion of dangerous import blacklisting through subclassing. The vulnerabilities, with a CVSS score of 9.3, underscore risks in AI supply chains and highlight the need for layered defenses and safer formats like Safetensors.
2026-04-07 2026Fortinet Releases Emergency Patch After FortiClient EMS Bug Is ExploitedRCEWriteup of CVE-2026-35616, a critical improper access control vulnerability affecting FortiClient EMS, which has been exploited in the wild, allowing unauthenticated attackers to execute unauthorized code via crafted requests. This follows the discovery and exploitation of another critical flaw, CVE-2026-21643, an SQL injection vulnerability in the same platform, highlighting the significant risks associated with compromised endpoint management infrastructure.
2026-04-03 2026Five Key Flaws Exploited in 2025's Software Supply Chain IncidentsSupply ChainAnalysis of five major 2025 software supply chain incidents, detailing exploitation campaigns targeting critical vulnerabilities. These include the React2Shell RCE flaw (CVE-2025-55182) in React.js, exploited by nation-state groups; the Shai Hulud 2.0 worm that poisoned thousands of npm packages; and the Clop group's exploitation of a zero-day RCE vulnerability (CVE-2025-61882) in Oracle E-Business Suite. The analysis highlights the impact of these exploits on numerous organizations and the increasing sophistication of supply chain attacks.
2025-08-14 2025https://www.infosecurity-magazine.com/news/portswigger-launches-web-security/BurpAcademy providing free, interactive labs and reading materials for web security training. Developed by PortSwigger, makers of Burp Suite, it addresses the global cybersecurity talent shortage. The platform offers continuously updated content on topics like clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection, in a safe, risk-free testing environment. Users can track progress and compete on leaderboards.
2019-11-14 2019PortSwigger Launches Web Security AcademyBurpAcademy launched by PortSwigger, offering free interactive labs and reading materials to address global cybersecurity talent shortages. The platform features content on clickjacking, WebSocket, HTTP request smuggling, server-side request forgery, and XXE injection, allowing users to practice in a safe, risk-free environment and track their progress. The content will be continually updated to reflect evolving cyber threats.