Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're covering a series of data breaches affecting major companies, advancements in AI-enhanced detection algorithms, and the latest vulnerabilities you need to be aware of.

First, we delve into a series of data breaches affecting Bradford Health Services, Victoria's Secret, Coca-Cola, Etsy, TikTok, Tiffany & Co., and Dior. These breaches have potentially compromised personal and protected health information, customer details, and more. The extent of these breaches and the number of affected individuals are still under investigation.

Next, we explore the world of AI and its impact on cybersecurity. A strategic research report highlights the advancements in AI-enhanced detection algorithms that are improving accuracy and driving the market for autonomous monitoring in drone airspace security systems. However, the rapid adoption of AI agents is also driving an urgent need for evolved security, as developers are becoming overwhelmed due to false positives and the faster pace of development.

We also discuss the latest vulnerabilities that have been discovered. These range from an improper validation of unsafe equivalence in punycode by the idna crate from Servo rust-url, to a file upload vulnerability in HuoCMS V3.5.1 and before, to a stored cross-site scripting in Easy Digital Downloads plugin for WordPress. We also cover a few vulnerabilities that have already been patched, such as a validation bypass vulnerability in Laravel Rest Api and a hardcoded API key in Project AI.

Finally, we highlight some vulnerabilities that have no known patches at the time of publication, including an unauthorized access vulnerability in Valtimo Backend Libraries and a buffer overflow in IO::Compress::Brotli. We also discuss a permission verification flaw in Navidrome that allows any authenticated regular user to perform administrator-only transcoding configuration operations.

Stay tuned to Secret CISO for more updates on the latest in cybersecurity.

Data Breaches

1. Data Breach at Bradford Health Services: Bradford Health Services has reported a data security incident that may have compromised the personal and protected health information of certain employees and patients. The extent of the breach and the number of affected individuals are yet to be disclosed. Source: ABC 33/40
2. Victoria's Secret Cyberattack: Victoria's Secret is dealing with a cyberattack that forced the company to shut down its website and some in-store services. The extent of the breach and the data compromised are still under investigation. Source: Times of India
3. Data Breach Impact on Coca-Cola Stock: Coca-Cola has experienced a data breach, the details of which are still unclear. Despite the breach, the company's shares remain largely unaffected. Source: The Globe and Mail
4. Data Leak Exposing Etsy and TikTok Shop Customer Details: A massive data leak has exposed the details of 1.6 million Etsy and other TikTok shop customers. The leaked files contain sensitive customer information, the extent of which is still being determined. Source: TechRadar
5. Data Breaches at Tiffany & Dior: Jewelry retailer Tiffany & Co. and luxury goods company Dior have reported data breaches affecting their South Korean customers. The breaches occurred on a third-party vendor's platform, and the extent of the data compromised is still under investigation. Source: Bank Info Security

Security Research

1. Drone Airspace Security Systems Strategic Research Report 2025: AI-Enhanced Detection Algorithms Improve Accuracy and Drive Market for Autonomous Monitoring: This research report highlights the advancements in AI-enhanced detection algorithms that are improving accuracy and driving the market for autonomous monitoring in drone airspace security systems. Source: BusinessWire
2. Shifting left might improve software security, but developers are becoming overwhelmed: Research indicates that while shifting left might improve software security, developers are becoming overwhelmed due to false positives, the faster pace of development thanks to AI, and challenges integrating tools. Source: ITPro
3. New Windows RAT Evades Detection for Weeks Using Corrupted DOS and PE Headers: Security experts have discovered a new Windows RAT that evades detection for weeks by using corrupted DOS and PE headers. Source: The Hacker News
4. Ethereum researcher raise concerns about Bitcoin potential security problem due to its low fees: Ethereum Foundation researcher Justin Drake has raised concerns about the security of the Bitcoin Network due to its low fees. Source: Binance
5. SailPoint research highlights rapid AI agent adoption, driving urgent need for evolved security: SailPoint's new research report titled 'AI agents: The new attack surface' highlights the rapid adoption of AI agents and the urgent need for evolved security. Source: CRN

Top CVEs

1. Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url: This vulnerability allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another. Source: CVE-2024-12224
2. Improper Handling of Case Sensitivity vulnerability in Apache Tomcat: This vulnerability allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. Source: CVE-2025-46701
3. File Upload Vulnerability in HuoCMS V3.5.1 and before: This vulnerability allows attackers to take control of the target by exploiting a file upload vulnerability. Source: CVE-2025-46078
4. Issue in Open Network Foundation ONOS v2.7.0: This vulnerability allows attackers to create fake IP/MAC addresses and potentially execute a man-in-the-middle attack on communications between fake and real. Source: CVE-2023-41591
5. Stored Cross-Site Scripting in Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress: This vulnerability allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected. Source: CVE-2025-4670

API Security

1. CVE-2025-48490 Laravel Rest Api Search Validation Bypass: Laravel Rest Api, an API generator, had a validation bypass vulnerability in versions prior to 2.13.0. This could allow malicious actors to bypass validation rules and inject dangerous parameters into the application. The issue has been patched in version 2.13.0. Source: CVE-2025-48490
2. CVE-2025-48881 Valtimo Backend Libraries Unauthorized Access: Valtimo, a platform for Business Process Automation, had a vulnerability in versions 11.0.0.RELEASE to 11.3.3.RELEASE and 12.0.0.RELEASE to 12.12.0.RELEASE that allowed unauthorized users to list, view, edit, create or delete all objects for which an object-management configuration exists. No known patches exist at the time of publication. Source: CVE-2025-48881
3. CVE-2025-48491 Project AI Hardcoded API Key: Project AI, a platform designed to create AI agents, had a hardcoded API key present in the source code prior to the pre-beta version. This issue has been patched in the pre-beta version. Source: CVE-2025-48491
4. CVE-2020-36846 IO::Compress::Brotli Buffer Overflow: A buffer overflow exists in the embedded Brotli library in IO::Compress::Brotli versions prior to 0.007. An attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash when copying over chunks of data larger than 2 GiB. It is recommended to update to version 0.007 or later. Source: CVE-2020-36846
5. Navidrome Transcoding Permission Bypass Vulnerability: A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations. This includes creating, modifying, and deleting transcoding settings. Source: Navidrome Transcoding Permission Bypass Vulnerability

Sponsored by Wallarm API Security Solution

Final Words

That's it for today's edition of the Secret CISO newsletter. As we can see, the cyber landscape continues to evolve with new threats and vulnerabilities emerging daily. From data breaches at Bradford Health Services and Victoria's Secret to the rapid adoption of AI agents driving the need for evolved security, it's clear that staying informed is our first line of defense.

Remember, knowledge is power. The more we know about these threats, the better we can protect ourselves and our organizations. So, let's not keep this valuable information to ourselves. Share this newsletter with your friends, colleagues, and anyone else who might benefit from staying updated on the latest in cybersecurity.

Together, we can build a safer digital world. Stay safe, stay informed, and see you in the next edition of Secret CISO.