All news with #injection tag

🔴 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that a high-severity Apache ActiveMQ flaw, CVE-2026-34197, is being actively exploited in attacks. The bug, present for 13 years, allows authenticated attackers to execute arbitrary code via improper input validation and injection. Apache released patches on March 30 for ActiveMQ Classic 6.2.3 and 5.19.4, and CISA added the CVE to its KEV catalog, ordering federal agencies to patch by April 30.

🔒 NationStates has confirmed a data breach after taking its browser-based game offline following a player-reported vulnerability that resulted in remote code execution on the production server. The attacker exploited a double-parsing and input sanitization flaw in the Dispatch Search feature to copy application code and user data, including email addresses, MD5 password hashes, login IPs, and browser User-Agent strings. NationStates says telegram contents were likely partially exposed, is wiping and rebuilding the production environment, has reported the incident to authorities, and expects service to be restored within two to five days.

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.

⚠️ Rockwell Automation has published an advisory for an injection vulnerability in Stratix IOS (≤15.2(8)E5) that could allow an attacker to upload and run malicious configurations without authentication. The issue is tracked as CVE-2025-7350 and carries a CVSS v4 base score of 8.6, with remote exploitability and low attack complexity. Rockwell released an update; users should upgrade to 15.2(8)E6 or later. If updating is not immediately possible, follow vendor best practices and CISA's network-segmentation and access-control recommendations.

⚠️ Delta Electronics has identified two critical vulnerabilities in COMMGR (v2.9.0 and earlier) — a stack-based buffer overflow (CVE-2025-53418) and a code injection flaw (CVE-2025-53419) — that can enable arbitrary code execution via crafted .isp files. Delta and CISA rate the combined risk as high (CISA lists CVSS v4 8.8) and recommend upgrading to v2.10.0 or later. Additional mitigations include network segmentation, limiting Internet exposure, and using secure remote access methods. CISA reports no known public exploitation at this time.