> Public preview of synced passkeys brings the security benefits of MFA with simpler usability, while avoiding the security risks of weaker MFA options like SMS. However, even the simplest MFA can fail when credentials are lost, making account recovery a critical part of the user experience. To improve usability in such cases, we are introducing public preview for account recovery with AI-powered biometric match against government issued IDs across 192 countries. https://techcommunity.microsoft.com/blog/microsoft-entra-blog/synced-passkeys-and-high-assurance-account-recovery/3627343

RE:

Infosec Exchange

BleepingComputer (@BleepingComputer@infosec.exchange)

Hackers are exploiting critical-severity vulnerabilities affecting multiple Fortinet products to get unauthorized access to admin accounts and ste...

Apparently CVE-2025-59718 and CVE-2025-59719 are now EITW. View quoted note →

../ in FreshRSS. How did no one recommend that one to me yesterday? A new ../ would have been fun.

GitHub

Authenticated RCE via path traversal inside include()

### Summary Using a path traversal inside the `language` user configuration parameter, it's possible to call `install.php` and perform various a...

A couple vulns in Trail of Bits' Fickling.

GitHub

Bypass via marshal.loads() and types.FunctionType()

## Our assessment Based on the test case provided in the original report below, this bypass was caused by `marshal` and `types` missing from our...

GitHub

Bypass via pty.spawn()

## Our assessment Based on the test case provided in the original report below, this bypass was caused by `pty` missing from our block list of u...

RE:

Mastodon

Miguel de Icaza ᯅ🍉 (@Migueldeicaza@mastodon.social)

Jesus fucking christ. https://hey.paris/posts/appleid/

This is terrible, obviously. But another lesson for self hosting weirdos like me who offer services to friends and family is that the same outcome is possible with a simple accident or mistake. Be careful with other people's data. There's more to it than just encryption. View quoted note →

Ten CVEs in GitLab fixed, including four sev:HIGH ones.

GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6

Learn more about GitLab Patch Release: 18.6.2, 18.5.4, 18.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

BoF in glib.

cve-details

> A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Every single morning this week I've had to wait for Microsoft to go wake up GitHub. I thought it was supposed to be a 24 / 7 service.

MS advisories are live. Looks like two publicly disclosed and one EITW.

Security Update Guide - Microsoft Security Response Center

BleepingComputer

Google Chrome adds new security layer for Gemini AI agentic browsing

Google Chrome is introducing a new security architecture designed to protect upcoming agentic AI browsing features powered by Gemini.