Ten CVEs in GitLab fixed, including four sev:HIGH ones.

GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6

Learn more about GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

BoF in glib.

cve-details

> A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Every single morning this week I've had to wait for Microsoft to go wake up GitHub. I thought it was supposed to be a 24 / 7 service.

MS advisories are live. Looks like two publicly disclosed and one EITW.

Security Update Guide - Microsoft Security Response Center

BleepingComputer

Google Chrome adds new security layer for Gemini AI agentic browsing

Google Chrome is introducing a new security architecture designed to protect upcoming agentic AI browsing features powered by Gemini.

Go hack more MCP shit.

Unit 42

New Prompt Injection Attack Vectors Through MCP Sampling

Model Context Protocol connects LLM apps to external data sources or tools. We examine its security implications through various attack vectors.

RE:

Infosec Exchange

myron aub (@h2onolan@infosec.exchange)

Absolutely not. Terrible idea.

Agreed. But a terrible idea does sound fun... :brdThink: View quoted note →

RE: https://infosec.exchange/@cR0w/115663720460315600 Still nothing from Cisco... View quoted note →

Cisco published a placeholder advisory for the React vuln CVE-2025-55182. They have not finished analyzing any of their products yet so impact has not been determined.

Remote Code Execution Vulnerability in React and Next.js Frameworks: December 2025

On December 3, 2025, the React team released a security advisory regarding a vulnerability, CVE-2025-55182, in the React server that could allow an...