A Local File Inclusion (LFI) vulnerability was discovered in Apache Drill through improper handling of file paths in the query interface, allowing an attacker to read arbitrary files from the server by manipulating the dfs storage plugin configuration to access sensitive files like /etc/passwd.
A researcher discovered a $900 XSS vulnerability on Yahoo through extensive reconnaissance of deep subdomain levels, leveraging directory enumeration and the Knoxss XSS discovery service to find a private WebPageTest instance and exposed PHP endpoints.
Slacker Slash is a path traversal vulnerability in Bun-based web applications caused by desynchronization between Bun's WHATWG-compliant URL parser (which preserves multiple leading slashes and backslashes) and POSIX-normalizing filesystem operations (which collapse them). Attackers bypass string-based middleware checks like startsWith() using double-slash notation (//admin) or sibling directory prefixes (public_backup) while the filesystem still resolves the requested file.