web application security

Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876)

Don't miss, enterprise, firewall, Hot stuff, News, OWASP, Progress, security update, vulnerability, web application security /

Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) 2026-04-22 at 14:47 By Zeljka Zorz Progress Software has fixed a slew of high-severity vulnerabilities in MOVEit WAF and LoadMaster, including a flaw (CVE-2026-21876) that may allow attackers to bypass firewall detection. MOVEit WAF (web application firewall) is designed to protect Progress’s managed file transfer platform MOVEit […]

Progress Software fixes sneaky WAF bypass vulnerability (CVE-2026-21876) Read More »

More than half of public vulnerabilities bypass leading WAFs

Application Security, cybersecurity, Don't miss, Hot stuff, Miggo Security, News, report, web application security, Whitepapers and webinars /

More than half of public vulnerabilities bypass leading WAFs 2025-12-18 at 13:42 By Help Net Security Miggo Security has released a new report that examines how web application firewalls are used across real-world security programs. The research outlines the role WAFs play as foundational infrastructure and evaluates their effectiveness against critical vulnerabilities, CVEs, and AI-driven

More than half of public vulnerabilities bypass leading WAFs Read More »

A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn

Defused, Don't miss, Fortinet, Hot stuff, News, PoC, Rapid7, vulnerability, WatchTowr, web application security /

A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn 2025-11-14 at 14:10 By Zeljka Zorz A suspected (but currently unidentified) zero-day vulnerability in Fortinet FortiWeb is being exploited by unauthenticated attackers to create new admin accounts on vulnerable, internet-facing devices. Whether intentionally or accidentally, the vulnerability (or this specific path for triggering it) has

A suspected Fortinet FortiWeb zero-day is actively exploited, researchers warn Read More »

Exploits for unauthenticated FortiWeb RCE are public, so patch quickly! (CVE-2025-25257)

Don't miss, exploit, Fortinet, Hot stuff, News, PoC, Rapid7, vulnerability, WatchTowr, web application security /

Exploits for unauthenticated FortiWeb RCE are public, so patch quickly! (CVE-2025-25257) 2025-07-14 at 16:34 By Zeljka Zorz With two proof-of-concept (PoC) exploits made public late last week, CVE-2025-25257 – a critical SQL command injection vulnerability in Fortinet’s FortiWeb web application firewall – is expected to be leveraged by attackers soon. About CVE-2025-25257 CVE-2025-25257 is found

Exploits for unauthenticated FortiWeb RCE are public, so patch quickly! (CVE-2025-25257) Read More »

Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610)

Don't miss, Hot stuff, News, OPSWAT, Ruby, security update, vulnerability, web application security /

Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610) 2025-04-25 at 12:39 By Zeljka Zorz Researchers have uncovered three serious vulnerabilities in Rack, a server interface used by most Ruby web app frameworks (Ruby on Rails, Sinatra, Hanami, Roda, and others). Two of the flaws – CVE-2025-25184 and CVE-2025-27111 – could allow attackers to manipulate

Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610) Read More »

Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927)

Cloudflare, Don't miss, framework, Hot stuff, News, Next.js, open source, PoC, ProjectDiscovery, vulnerability, web application security, web development /

Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) 2025-03-24 at 15:17 By Zeljka Zorz A critical vulnerability (CVE-2025-29927) in the open source Next.js framework can be exploited by attackers to bypass authorization checks and gain unauthorized access to web pages they should no have access to (e.g., the web app’s admin panel).

Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) Read More »

Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys

Don't miss, Hot stuff, IIS server, Malware, Microsoft, News, web application security, web shell /

Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys 2025-02-07 at 14:22 By Zeljka Zorz A ViewState code injection attack spotted by Microsoft threat researchers in December 2024 could be easily replicated by other attackers, the company warned. “In the course of investigating, remediating, and building protections against this activity, we observed an insecure

Attackers compromise IIS servers by leveraging exposed ASP.NET machine keys Read More »

Tackling software vulnerabilities with smarter developer strategies

Application Security, code, cybersecurity, Don't miss, Endor Labs, Features, Hot stuff, News, opinion, software, web application security /

Tackling software vulnerabilities with smarter developer strategies 2024-12-13 at 07:03 By Mirko Zorz In this Help Net Security interview, Karl Mattson, CISO at Endor Labs, discusses strategies for enhancing secure software development. Mattson covers how developers can address vulnerabilities in complex systems, ways organizations can better support secure coding practices, and the role of languages

Tackling software vulnerabilities with smarter developer strategies Read More »

SafeLine: Open-source web application firewall (WAF)

Don't miss, firewall, GitHub, Hot stuff, News, open source, software, web application security /

SafeLine: Open-source web application firewall (WAF) 2024-12-04 at 07:38 By Mirko Zorz SafeLine is an open-source and self-hosted Web Application Firewall (WAF) that protects websites from cyber attacks. “SafeLine WAF was created to protect web applications for small and medium-sized enterprises from cyber threats by monitoring and filtering HTTP/HTTPS traffic. More importantly, with the widespread

SafeLine: Open-source web application firewall (WAF) Read More »

AI’s impact on the future of web application security

API security, cybersecurity, Don't miss, Features, Hot stuff, Incident Response, monitoring, News, opinion, web application security /

AI’s impact on the future of web application security 2024-11-15 at 07:33 By Mirko Zorz In this Help Net Security interview, Tony Perez, CEO at NOC.org, discusses the role of continuous monitoring for real-time threat detection, the unique risks posed by APIs, and strategies for securing web applications. Perez also addresses how AI-driven threats are

AI’s impact on the future of web application security Read More »

Web-based PLC malware: A new potential threat to critical infrastructure

Don't miss, Hot stuff, ICS/SCADA, Malware, News, PLC, research, web application security /

Web-based PLC malware: A new potential threat to critical infrastructure 2024-03-07 at 13:47 By Zeljka Zorz A group of researchers from Georgia Tech’s College of Engineering have developed web-based programmable logic controller (PLC) malware able to target most PLCs produced by major manufacturers. “Our Web-Based (WB) PLC malware resides in PLC memory, but ultimately gets

Web-based PLC malware: A new potential threat to critical infrastructure Read More »

New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164)

Apache Struts, Don't miss, Hot stuff, News, security update, vulnerability, web application security /

New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) 08/12/2023 at 15:01 By Zeljka Zorz The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164). About CVE-2023-50164 CVE-2023-50164 may allow an attacker to manipulate file

New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) Read More »

Scroll to Top