Thanks to all your support on Patreon, we’ve just passed 3100 active patrons (!), so 60+ studio HDRIs have just been released out of early-access and made available freely to everyone!

Download: https://polyhaven.com/hdris/studio

Next up: 50+ wood textures! https://polyhaven.com/vaults/wood Support us on Patreon to download them now, and help unlock them for everyone.

lol https://seclists.org/oss-sec/2026/q1/89

telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes

In telnetd for a decade 💀

You don't need to pay Apple or start a new subscription to unleash your creativity. We asked creatives what free software they use to get the job done and here are their picks.

A thread 🧵

https://kde.org/for/creators/

#creativity #design #audio #art #video

At the https://gpg.fail talk and omg #39c3

You can just put a \0 in the Hash: header and then newlines and inject text in a cleartext message.

Won’t even blame PGP here. C is unsafe at any speed.

gpg has not fixed it yet.

Notepad++ have released a new version to fix the auto update process being hijacked https://notepad-plus-plus.org/news/v889-released/

I reported the vulnerability, it is being hijacked by threat actors in China. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9

There is an unauthenticated remote code execution vulnerability in React Server Components.

Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.

If your app’s React code does not use a server, your app is not affected by this vulnerability.

CVE-2025-55182

Mastodon server not impacted btw.

https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

We're back with five more apps up for adoption at our fundraiser:

- LabPlot: A powerful data analysis and visualization tool that accepts data in all kinds of formats.

- Okular: Your one-stop app for viewing all kinds of documents. Okular supports annotations, digital signing, and more.

- KStars: Your private planetarium that also helps you schedule and execute your observation and astrophotography sessions.

https://kde.org/fundraisers/yearend2025/#adopt-an-app

#fundraiser #FreeSoftware

[More >]

Over the last 12 months, watchTowr Labs uncovered thousands of leaked credentials: cloud keys, AD creds, API tokens, even KYC data - already being abused.

Join us on our journey into “innocent” developer tools.

https://labs.watchtowr.com/stop-putting-your-passwords-into-random-websites-yes-seriously-you-are-the-problem/