SBA Research is a research center for Information Security funded partly by the national initiative for COMET Competence Centers for Excellent Technologies.
The genucenter web interface before version 8.0p11 unnecessarily exposes sensitive SNMP authentication and encryption keys in its HTTP responses to users with the “Service” or “Admin” role. This exposure allows potential unauthorized access to network devices. Read More
SWUpdate before 2026.05 is affected by a time-of-check time-of-use (TOCTOU) race condition that allows local unprivileged attackers to escalate privileges to root or install untrusted contents using a signed update. Read More
Users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination with Cross-Site Scripting, this can also be used to exfiltrate alerts from other customers. Read More
The IRIS web application is vulnerable to a Cross-site request forgery attack, because it uses the HTTP method GET to change state on the server. Read More
The IRIS web application does not properly validate uploaded files. It can therefore be misused to host phishing pages, amongst other things. This also creates an instance of a Cross-Site Scripting (XSS) vulnerability. Read More
The IRIS web application contains a weakness where an attacker can misuse it to redirect the user to a malicious website controlled by an attacker. Read More
GoAnywhere MFT before 7.10.0 is affected by an HTML injection vulnerability in its email templating functionality. If an attacker is able to influence the content of a template variable, malicious HTML can be embedded into outgoing emails generated by the application. As these messages originate from a trusted system, the vulnerability may facilitate phishing and other social-engineering attacks. The issue arises from insufficient HTML encoding of untrusted input before inclusion in HTML email content. Read More
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API. ... Read More
We are proud to celebrate the outstanding achievements of our researchers, who were recognized at the University of Vienna Faculty of Computer Science's Best-of-the-Best Awards on June 24. ∞
SBA Research was delighted to welcome FFG Managing Director Karin Tausz and Head of Division Structural Programmes Silvia Laimgruber to the SBA-K1 NGC COMET Center in Vienna. ... ∞
Our colleague Nicholas Stifter, researcher and security analyst at SBA Research, presented his conference paper titled Reuse of Public Keys Across UTXO and Account-Based Cryptocurrencies at the Financial Cryptography and Data Security 2026 in St. Kitts, USA. ... ∞