The Next Web

A single click on a Microsoft link could have drained your inbox. Here’s how SearchLeak worked.

Varonis chained three bugs in Microsoft 365 Copilot Enterprise Search into a one-click data theft path that bypassed phishing filters and CSP protections.
Decrypt

AI Agents Still Can't Stop Prompt Injection Attacks, Researchers Warn

A new benchmark study found AI agents remain vulnerable to prompt injection attacks as companies increasingly roll out the ...
GitHub

Jellyfin Plugin - JavaScript Injector

Multiple Scripts: Add as many custom JavaScript snippets as you want. Organized UI: Each script is managed in its own collapsible section, keeping your configuration clean and easy to navigate. Enable ...

WebMCP Can Be Used To Hijack AI Agents, Chrome Warns

Chrome's WebMCP guidance warns that AI agents can be manipulated through the tools they are built to trust.
The Hacker News

Six Proto6 Vulnerabilities in protobuf.js Expose Node.js Apps to RCE and DoS

Six Proto6 flaws in protobuf.js enable RCE and DoS attacks; patched in versions 7.5.6 and 8.0.2 to protect Node.js services.
The Hacker News

Hacking Salesforce Sites With an LLM Agent

AI agent exploited Salesforce sites; 263 objects, 55 Apex methods exposed at one portal, leading to PII and file leaks.