Apple Warns iPhone Users: Patch Web-Based Exploits Now
This newsletter is AI generated and may hallucinate sometimes 😊
Critical 9.3 CVSS Auth Bypass and XSS Flaws Hit MantisBT
- MantisBT, a popular open-source bug tracker, is affected by critical vulnerabilities including an authentication bypass (CVE-2026-30849) and multiple Cross-Site Scripting (XSS) flaws.
- The authentication bypass, rated CVSS 9.3, allows unauthenticated attackers to gain administrative access to the MantisBT instance without credentials.
- The XSS vulnerabilities could be leveraged to execute arbitrary client-side script in a victim's browser, potentially leading to session hijacking or defacement, affecting all versions up to 2.26.0.
Source: SecurityOnline.info | Date: March 27, 2026
Vulnerabilities in Bludit Software Include Unauthenticated RCE and XSS
- Bludit, a flat-file CMS, has been found vulnerable to multiple critical issues, including an unauthenticated Remote Code Execution (RCE) and several Cross-Site Scripting (XSS) flaws.
- The RCE vulnerability (CVE-2026-25099), rated CVSS 9.8, permits unauthenticated attackers to execute arbitrary code on the server by uploading malicious files through the administration panel.
- The XSS vulnerabilities, present in various input fields, allow for client-side script injection, which could lead to session hijacking or redirection of users to malicious sites.
Source: CERT.PL | Date: March 27, 2026
References
- Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits - The Hacker News
- AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion - The Hacker News
- Critical 9.3 CVSS Auth Bypass and XSS Flaws Hit MantisBT - SecurityOnline.info
- Vulnerabilities in Bludit software - CERT.PL
- New AITM phishing wave hijacks TikTok Business accounts - Security Affairs
- Apple security updates - Apple
- EvilGinx2 - GitHub
- Cloudflare Turnstile - Cloudflare
- CVE-2026-30849 - NVD
- Cross-Site Scripting (XSS) - OWASP
- CVE-2026-25099 - NVD