🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Developers can have good intentions to make code evaluation safe with data scope sandboxes; but with #Python those sandboxes are made of glass — and that can lead to surprise #RCE vulnerabilities in your apps! Alex Shleymovich explains how this works and what you can do to stay

Critical #Vulnerability in Apache Parquet (CVE-2025-30065, #CVSS 10.0). Java Library enabling import of big data files allows adversaries to execute arbitrary code by sending malicious data files. devhub.checkmarx.com/cve-details/CV… If you receive Parquet data from untrusted sources, #patch

Concerned about the recent #BentoML #RCE (CVE-2025-27520)? Well there’s some good news. Our research shows that some of the versions listed as affected are actually not! Read up for details: checkmarx.com/zero-post/bent…

Critical #CVE-2025-30215 in #NATSio Server—common for #IoT and distributed cloud-native platforms. Exploit of #vulnerable API leads to product outages, sensitive data leaks, and reputation damage. Update to 2.10.27 / 2.11.1 immediately! See github.com/nats-io/nats-s… for detail.

fortunately this site is now clearly marked as a joke, and flagged by the major safe browsing tools. But it wasn’t earlier and we’re not sure whether to laugh or cry… #phishing #security #training

"43% of disclosed cloud-infrastructure secrets are Google Cloud API keys" (2025 #DBIR). Sounds about right. That's why our Too Many Secrets (2MS) free and #opensource tool detects those in code, chats, etc. And it safely checks to see if they're currently active so you don't

🚨 Critical #RCE (#CVE-2025-32444) in #vLLM Python package, versions 0.6.5 through 0.8.4. Unsafe deserialization over exposed ZeroMQ sockets when using vLLM with #Mooncake. Vulnerable sockets listening on all interfaces make it easier to attack. Update to 0.8.5 ASAP to protect

This #Langflow vulnerability is getting some new attention because it appeared in the #KEV (Known Exploited #vulnerability); if you aren't patched yet, you'll probably want to accelerate that

Python #PEP770 has been accepted, which means there's now a standard way to include #SBOM documents in #Python packages. This is great news, but there's also some care required whether you produce or consume PEP-770 compatible packages. Learn more about it from Checkmarx Zero:

🚨#CVE-2025-4664: Chrome vulnerability prior to 136.0.7103.113 allows attackers to leak cross-origin data via the img tag src attribute. When Chrome loads these attacker-controlled image URLs, the endpoint returns Link headers with 'unsafe-url' referrer-policy, causing a referer

#CVE-2025-4641 CRITICAL (CVSS=9.3)… or is it? Java #WebDriverManager for #Selenium has an #XXE vuln, but as a dev tool, it's unlikely you're using it where an adversary could exploit it. It's still a good idea to update to at least 6.0.2, but probably #DontPanic

🚨 #CVE-2025-47277 (#CVSS=9.8, #EPSS=0.05%): #Python #LLM inference and serving module 'vLLM' versions 0.6.5 through 0.8.4 are vulnerable to Remote Code Execution (#RCE) via unsafe deserialization in the PyNcclPipe service. Attackers can exploit this #vulnerability to execute

🚨#CVE-2025-41232: #SpringSecurity versions 6.4.0 through 6.4.5 may not correctly locate method security annotations on private methods, leading to Authorization bypass. Your application may be affected if you're using @EnableMethodSecurity(mode=ASPECTJ), spring-security-aspects,

"Checkmarx Zero uncovered two malicious campaigns targeting Python & #npm users looking for the popular #Colorama and #Colorizr packages. Relying on #typosquatting & name-confusion, the threat actors uploaded multiple #PyPI packages" securityweek.com/in-other-news-… SecurityWeek

Worried about missing our longer-form content in the sea of social media? You can subscribe to updates by email (without any fear of getting hit with marketing emails); go to checkmarx.com/zero and click the envelope icon to subscribe to updates!

🚨#CVE-2025-1793: Multiple vector store integrations in #AI library llama_index, versions prior to 0.12.28 are vulnerable to SQL injection. Attackers can read and write data from/to any of the affected vector stores by using SQL, potentially leading to unauthorized access to the