🗞️ Your favourite #DigitalRights newsletter is back! Strap in for the busy and buzzy first edition of the #EDRigram in 2026. On our agenda:
🕵🏾 new resource to strengthen the case for an EU-wide ban on #spyware ✊🏾 resisting discriminatory algorithms in the Netherlands with Bits of Freedom, and in France with La Quadrature du Net and coalition. 🤔 EDRi's 2025 year in review - resisting and persisting despite everything
Misschien woon jij in een gemeente waar de Piratenpartij mee wil doen. Alleen met voldoende ondersteuningsverklaringen (OSV) zetten we de Piratenpartij op het stemformulier. Een OSV heet ook wel een H4-formulier. Download ze voor jouw gemeente: gemeente opsturen naar Amsterdam mailto:amsterdam@piratenpartij.nl stadsdeelcommissie Amsterdam – West mailto:amsterdam@piratenpartij.nl Procedure in het kort: Neem geldig ID mee! De […]
What has the EDRi network been up to over the past few weeks? Find out the latest digital rights news in our bi-weekly newsletter. In this edition: EDRi’s 2025 year in review, new resource to support an EU spyware ban, DSA delayed in Poland, & more!
Bits of Freedom shares lessons learned while working on “Amsterdam Top400”, an invasive municipality project which involved the use of predictive policing and led to unwanted interference in the private lives of young people. Together with a coalition of professionals from different background and affected individuals, they explored the possibility of holding the municipality of Amsterdam accountable for violations of children’s rights, data protection law, and fundamental freedoms.
Spyware continues to spread across Europe despite years of scandals and undisputable evidence of fundamental rights violations. As the European Commission remains inactive, civil society, journalists and some lawmakers at the European Parliament are stepping up pressure for accountability. In this context, EDRi is launching a document pool to centralise resources that tracks abuse and support the growing push for a full EU-wide ban of spyware.
As for most civil society organisations, 2025 was a tumultuous and challenging year for EDRi. Shifting political landscapes and shrinking civic space have made the work of civil society in Europe and around the world increasingly difficult for years . Yet we have nevertheless found many reasons to hope, celebrate, resist and persist.
Poland is among the last EU member states to implement the Digital Service Act. After two years of negotiations between the government and civil actors – led by the Panoptykon Foundation, the Polish NGO protecting fundamental rights in the online context – the implementing act was ready. President’s veto means that the process has to be started afresh.
A new study by Bits of Freedom shows that Snapchat sends users misleading notifications. This is banned under the Digital Services Act which prohibits misleading and manipulative design on online platforms. The results of this study make for important input into possible DSA enforcement actions and support including rules about attention-grabbing notifications in the upcoming Digital Fairness Act.
If in Milan at the AI Festival, come say hi to @jaromil ! You'll find him speaking today at 11:30 CET, in the innovation arena, about Agentic AI and Trust in Fintech: autonomy, risk, and new digital responsibilities.
Some things change, others evolve. It's all a matter of perspective in Space and Time: there are many different ways to keep a calendar. Hopefully, the constant is you feeling comfort in this newsletter finding you.
Every Thursday of the week, Bastian’s Night is broadcast from 21:30 CET.
Bastian’s Night is a live talk show in German with lots of music, a weekly round-up of news from around the world, and a glimpse into the host’s crazy week in the pirate movement.
We elect our Pirate Council in February. Positions include Captain, First Officer, Quartermaster, PR/Media Director, Activism Director, Swarmwise Director, Web/Info Director, three Arbitrators and two representatives to the US Pirate Party.
Ballots will be sent out by February 13th and are due back by February 27th. We will use the same voting mechanism we used in our previous election. Voters will be emailed a randomly generated id that only the voter will know. Once the election is done, we will delete the ids. In this way, we can ensure that only supporters can vote, while also maintaining the secrecy of votes.
✊🏾 @edri is proud to join @LaQuadrature and other orgs in challenging the discriminatory algorithms used by the family branch of the French welfare system (CNAF).
In the context of the current #deregulation spree by the European Commission, this legal action shows resistance to the rollback of #FundamentalRights protections and the increase of rights-infringing legislation.
10 organisation, including EDRi, have joined a coalition effort to challenge the discriminatory algorithms used by the family branch of the French welfare system.
La CNAF utilise depuis 15 ans un algorithme de scoring pour noter ses allocataires et cibler ses contrôles. En pratique, les personnes les plus précaires reçoivent un score « de suspicion » plus élevé et se retrouvent plus souvent contrôlées à cause de cet algorithme. On l'a donc attaqué en 2024 avec 14 autres associations. Aujourd'hui, on est fier·es de vous annoncer que 10 autres organisations rejoignent la lutte.
Il y a un peu plus d'un an, 15 organisations de la société civile ont contesté l'algorithme d'évaluation des risques utilisé par la Caisse nationale d'allocations familiales (CNAF), la branche familiale du système français de protection sociale.
10 organisation, including EDRi, have joined an ongoing coalition effort to challenge the discriminatory algorithms used by the family branch of the French welfare system (CNAF). In the current deregulation spree by the European Commission, this legal action represents resistance to the rollback of fundamental rights protections and the increase of rights infringing legislation. Read an update about the strengthened coalition and the legal action they have taken so far.
La CNAF utilise depuis 15 ans un algorithme de scoring pour noter ses allocataires et cibler ses contrôles. En pratique, les personnes les plus précaires reçoivent un score « de suspicion » plus élevé et se retrouvent plus souvent contrôlées à cause de cet algorithme. On l'a donc attaqué en 2024 avec 14 autres associations. Aujourd'hui, on est fier·es de vous annoncer que 10 autres organisations rejoignent la lutte.
Il y a un peu plus d'un an, 15 organisations de la société civile ont contesté l'algorithme d'évaluation des risques utilisé par la Caisse nationale d'allocations familiales (CNAF), la branche familiale du système français de protection sociale.
Cet algorithme recherche des situations d'indus, c'est-à-dire des allocataires qui pourraient avoir reçu trop d'aides. Pas nécessairement en raison d'une fraude (cette situation est assez rare), mais la plupart du temps en raison de la complexité des critères pour recevoir les aides. La conséquence est que les personnes les plus précaires, qui ont justement le plus besoin de ces aides, se retrouvent ciblées. Une double peine discriminatoire. laquadrature.net/2024/10/16/la…
En cette veille de journée mondiale du refus de la misère, 15 organisations de la société civile attaquent l'algorithme de notation des allocataires des Caisses d'Allocations Familiales (CAF) en justice, devant le Conseil d'État, au nom du droit de l…
Nous sommes désormais 25 organisations à nous mobiliser devant la justice contre cet algorithme discriminatoire. Syndicats, collectifs de personnes concernées, organisations européennes et françaises, associations de terrain ou non : tout le monde déteste l'algo de la CNAF.
Mais les critiques ne viennent pas seulement du monde associatif : la Défenseure des droits est venue au soutien de notre recours en octobre dernier pour confirmer la discrimination de cet algorithme.
La CNAF a récemment mis en place une nouvelle version de cet algorithme, qu'elle présente comme étant réparée par rapport aux précédentes. Pourtant, derrière la communication ciselée de l'institution se cache une réalité moins avouable : nous avons mis la main sur une étude de la CNAF elle-même qui confirme que son algorithme actuel est bien discriminatoire ! Comme la CNAF se garde de faire la transparence sur cette étude, nous l'avons envoyée au Conseil d'État. 😉
La CNAF refuse la vérité : il n'est pas possible de réparer son algorithme. Celui-ci est le résultat de la politique française anti-pauvres. Et pourtant, le législateur persiste dans sa destruction de l'État social, notamment avec le projet de loi sur la fraude actuellement en discussion et que nous analysions en décembre.
Un projet de loi de « lutte contre les fraudes sociales et fiscales » est débattu en ce moment à l'Assemblée nationale, après une première lecture au Sénat.
Le Conseil d'État nous a informé que l'instruction de l'affaire se terminerait à la fin du mois. Nous nous attendons donc à une audience publique et une décision au printemps. Nous espérons que notre demande de renvoyer l'affaire devant la Cour de justice de l'Union européenne (CJUE) soit entendue : la légalité de ce type d'algorithme, utilisé massivement par les administrations sociales en Europe, doit être tranchée par la justice européenne et non seulement par le Conseil d'État.
Ce combat contre la gestion algorithmique des populations, La Quadrature du Net le mène depuis 2022 avec sa campagne France Contrôle. Alors pour nous aider à lutter, contre l'algorithme de scoring de la CNAF et au-delà, vous pouvez nous faire un don si vous le pouvez ! ❤
Aujourd’hui, plus personne ne hausse les épaules de façon crédible quand on parle d’un retour des fascismes. À La Quadrature du Net, nous parlons « d’autoritarisme » depuis longtemps.
Si il y a un algorithme pour détecter les trop-perçus alors il faudrait un algorithme pour détecter les non-recours aux aides et les sous-versements puis les verser automatiquement voir envoyer un mail/courrier d'aide au recours ? Faire un algorithme pour l'un et pas pour l'autre semble constitutif de la discrimination aussi. Ameli envoie deja des mails etc. pour l'aide au recours sur certaines aides quand Ameli pense que vous y avez peut être droit.
La méthode de publication du code source du soit disant algorithme est sacrément opaque, il faut cliquer sur 3-4 liens sur des pages differentes depuis l'article sur le site de la CAF qui annonce la publication du code source, on se voit offert des explications et justifications nombreuses alors que tout ce qui compte c'est le code exact en pratique car c'est lui qui produit les résultats et non les explications de la CAF
Tout en bas il y a des liens vers "Modele 1" "Modele 2", ce sont des fichiers HTML de visualisation de "notebook" Python, pas de git rien, aucune assurance que ce qui est publié reste la même chose dans le futur, il n'y a aucun bouton pour correctement télécharger les fichiers. Pourquoi est-ce qu'on a l'impression que la CAF fait tout pour que personne ne puisse aisément télécharger ce code?
Votre intervention dans le Média en ce moment même est passionnante. On comprend parfaitement la problématique de cet algorithme et la surdité de la CAF. Bravo à vous et aux différents syndicats et associations qui vous suivent.
(1/3) Sans compter, que depuis de années que j'essaie de les faire se bouger là dessus (chaque interlocuteur à aussi aquaponey et renvoie vers une autre instance..) le site à pas bougé; il génère LUI MÊME des erreurs qui génèrent ensuite de contrôles, comme les dates de fin d'emploi qu'on déclare sur les déclarations trimestrielles, qui d'une page à une autre est MODIFIEE par le site même, et ensuite on doit donc accepter ce mensonge qu'ils nous obligent à formuler pour rester cohérent, ou bien, écrire dans un formulaire n'excédent pas genre.. 220 caractères (on est plus à un bizutage près..)
Some things change, others evolve. It's all a matter of perspective in Space and Time: there are many different ways to keep a calendar. Hopefully, the constant is you feeling comfort in this newsletter finding you.
Spyware is one of the most serious threats to fundamental rights, democracy and civic space across Europe. This document pool brings together EDRi’s analysis, advocacy, research, and curated third-party resources as part of our push for a full EU-wide ban on spyware.
January 19 – Today is MLK Day, in which we celebrate the “birthday” of Rev. Dr. Martin Luther King Jr. (which was actually four days ago on the 15th) and remember him as a nonviolent activist and hero of Civil Rights.
To take a moment of reflection, I think it is especially important to remember the life, work and legacy of MLK Jr. for everything that it was. Martin Luther King Jr. is a figure that fills a hole I believe is deeply missing in today’s day and age.
Many people might overlook the fact, or write it off as a mere footnote, that Dr. King was a Reverend. But you shouldn’t overlook that fact.
Dr. King was apart of what we will boil down for simplicity purposes as “the Christian Left”.
What we are seeing in today’s day and age is the continual bastardization of Christian imagery in order to progress an agenda of “Christian Nationalism”. While Civil Rights should rightfully be recognized as Dr. King’s legacy, his role as a prominent Christian and the undeniable role his Christianity had on his words and actions must be acknowledged.
“Now is the time to make justice a reality for all of God’s children.”
Because Christian Nationalists of 2026 use phrases such as “Christ is King”, many from left-of-center to far-left tend to completely disregard religion as toxic, antiquated, oppressive or even “opiate of the masses”.
They should not.
It is fine if you personally are non-religious, but many folks do take their faith seriously. It is central to their lives and often influences their day-to-day decisions.
The Reverend Dr. King is no exception, and to lessen that idea his motives were deeply Christian would be to belittle his legacy entirely.
For those of you who consider themselves “on the left”, it is important you do not forget or belittle the impact faith and religion has on people. Furthermore, it is important that you be not afraid of speaking loudly and proudly your faith, but to never force that faith upon other people.
It does not need to be limited to Christianity. Malcolm X, upon returning from his pilgrimage to Mecca, immediately saw the brotherhood of all races as possible and even emphasized the need for the United States to understand Islam in order to address its racial issues.
Even Zohran Mamdani, the new mayor of New York City, has made no secret of his being Muslim as well as a Democratic Socialist. Even in the face of Islamophobic slander, Zohran has not wavered on his faith and his ideological beliefs. So much so that they have spawned “Socialist Jihadist” at him, which is certainly a buzzword.
Zohran Mamdani is not forcing everyone in the New York City to revert to Islam or pay the jizyah. His faith drives his actions and his actions thus become his word.
What Christian Nationalists are attempting to do is force the idea of “we are a Christian nation”, in which Christianity is the law of the land and Christians are first-class citizens. A Christian Republic.
That is an idea and concept Dr. King could not get behind.
Dr. King was openly and proudly Christian, and on the day in which he remember and celebrate the good Reverend, I ask that people of all faiths remember his message of love, justice and equality for all of the people on earth. “All of God’s Children”, if you will.
The United States Pirate Party is a secular organization, and I don’t wish to let this religiously themed post convince you all we are taking a religious approach.
But individuals in the party, myself (Captain Jolly Mitch) included, are believers of some kind. It is the individual, not the movement, who should keep and live by their faith. If your faith is what brings you to do good for the world, then is that not reason enough to hold it proudly?
Remember, and Dr. King was the exemplar of this: faith without works is dead.
Arizona – the Arizona Pirate Party is seeking volunteers to assist with signature collecting for the Blase Henrycampaign. If you are interested in helping Blase get on the ballot, check out their website or join their Discord to get in direct contact.
Pennsylvania – Drew Bingaman will be hosting campaign meet and greets for those in his district on February 2nd and 19th. Those interested can find out more by visiting his Facebook page and checking out “Events”
Conference News – The conference, scheduled for Boston on June 6th, 2026, has been penciled in to be a two day conference, with the final conference business wrapping up on Sunday, June 7th.
In addition, discussions have begun over the theme/tagline for the 2026 conference. Further information such as keynote and guest speakers, as well as discussion topics, will be revealed in the coming weeks. The determination of the theme/tagline may come as soon as next week’s meeting. Discussions and suggestions are currently open on our Discord server.
Young Pirates USA – In accordance with their new bylaws, YPUSA have opened up nominations for Secretary, Signal Officer and Treasurer. A nomination form has been provided to YPUSA members and will close on January 27th, immediately before their next meeting. The Young Pirate’s will have a proper election come the June conference.
I Giochi olimpici invernali di Milano-Cortina 2026 saranno il primo mega-evento sportivo davvero “full stack”: tutto è connesso, tutto è telemetria, tutto
Lo Scudo europeo per la democrazia viene presentato come un argine a disinformazione e interferenze straniere, ma finirà per istituzionalizzare la censura preventiva nello spazio informativo.
Mercoledì 15 ottobre torniamo con il Logout di TWC Roma, il ritrovo per tech workers che vogliono incontrarsi dopo lavoro: un'occasione per socializzare, conoscersi, parlare del nostro lavoro e come organizzarci nei prossimi mesi!
Ci vediamo mercoledì 21 gennaio, alle 18.30, da Vox Populi a San Lorenzo!
Sezione romana di @twcita. Uno spazio per discussioni di rilevanza locale tra tech worker. Pure er posto giusto pe dasse na punta ogni tanto ;) Info & Regolamento: https://t.me/twcitagruppo/80268
Il pacchetto di aggiornamenti di gennaio per Windows 11 si è trasformato in un promemoria involontario su quanto sia fragile il confine tra hardening della piattaforma e user experience di base: do…
Perché Coinbase ha fatto deragliare il futuro politico del settore delle criptovalute
Il potente exchange ha ritirato all'ultimo minuto il suo sostegno al Senate CLARITY Act, e il resto del mondo delle criptovalute, da Kraken ad a16z, è infuriato.
More recent assaults on the First Amendment are dominating the headlines, but Rümeysa Öztürk has now been facing deportation for 297 days for co-writing an op-ed the government didn’t like, and journalist Ya’akub Vijandre remains locked up by Immigration and Customs Enforcement over social media posts about issues he reported on. Read on for more on a virtually unprecedented (and only half over) month of attacks on press freedom.
Raid of journalist’s home ignores federal law and constitutional freedoms
The FBI raid of the home of Washington Post reporter Hannah Natanson, reportedly to investigate a contractor accused of mishandling classified records, marked an alarming escalation in the Trump administration’s multipronged war on press freedom. All the meanwhile, Post billionaire owner Jeff Bezos remains silent.
The Department of Justice (and the judge who approved this outrageous warrant) is either ignoring or distorting the Privacy Protection Act, which restricts law enforcement from raiding newsrooms and reporters. The administration may now be in possession of volumes of journalist communications having nothing to do with any pending investigation.
Freedom of the Press Foundation (FPF) Chief of Advocacy Seth Stern, along with Chip Gibbons of Defending Rights & Dissent, wrote for The Guardian that, alarming as it was, the raid was the product of a decades-long backslide at both the federal and local level. And our Daniel Ellsberg Chair on Government Secrecy Lauren Harper wrote for The Intercept about how the raid was enabled by the Department of Justice’s revisions to its guidelines on searching journalists’ files. Harper previously exposed that the administration’s pretext for those revisions was a lie.
Reporter and security researcher Nikita Mazurov also wrote for us about measures reporters can take to minimize the risk to sources in the event of a raid or device seizure.
Don’t forget last week’s alarming intrusion on newsgathering
We told you last week about the House Oversight Committee’s bipartisan vote to subpoena journalist Seth Harp over a tweet identifying a high ranking military officer involved in the abduction of Venezuelan President Nicolás Maduro.
Democrats reportedly supported the subpoena as part of a deal to also issue subpoenas related to the Jeffrey Epstein case. That was a big mistake — journalist subpoenas are a constitutional red line, not a bargaining chip. After all, if not for the source relationships that enabled reporters like the Miami Herald’s Julie Brown to expose Epstein’s crimes, he might still be on his island preying on young girls.
Worse yet, the subpoena will allow proponents of the Natanson raid and future intrusions to legitimize and “both sides” their assaults on the Constitution. You can use our action center tool to tell Congress to clean up the mess it made.
What the Maduro ‘extradition’ means for U.S. journalists
For journalists who work online, the most dangerous assumption is that press freedom is territorial. It is not. In the digital age, journalists publish globally by default, and states increasingly assert criminal jurisdiction globally as well.
The recent assertion of U.S. authority to abduct Maduro risks normalizing extraterritorial arrests for violations of the arresting country’s domestic laws, bypassing extradition procedures and other protections. As former federal computer crime prosecutor Mark Rasch wrote in a guest post for FPF, a country with repressive press laws could use the Trump administration’s actions to justify arresting U.S. journalists at home over online publications accessible elsewhere.
Wikipedia’s 25th birthday proves the power of free speech
Over the last quarter century, Wikipedia has gone from the source that teachers universally clamored “you can’t trust it” to one of the most reliable sources in a world of “disinformation” and AI-generated slop.
As FPF senior software engineer and volunteer Wikipedia editor Kunal Mehta explains, Wikipedia can only exist because of the robust free speech and free press safeguards that protect it (for now) in the United States.
Rising authoritarianism impacts the news you depend on, whether you’re making choices in the ballot box or the doctor’s office. Journalists are facing increasing dangers that impact their work and their personal lives. FPF co-sponsored a town hall, available to stream now, which takes you behind the scenes of your news in 2026.
The Washington Post The same people who spent years whining about alleged bias in government-funded media are now extracting loyalty pledges from prospective reporters and promising to refocus the newsroom of a publication that is statutorily guaranteed independence.
National Lawyers Guild Any effort to criminalize use of encryption is a serious threat to press freedom — especially coming from the current administration. It’s noteworthy that this is the same prosecution in which the government seeks to criminalize possession of literature.
New York Daily News Former Mayor Eric Adams tried to restrict press access in New York just before his term ended. Good for his successor, Zohran Mamdani, for killing the proposed rules.
Poynter On the other hand, Mamdani should not overlook community journalists in favor of friendly influencers. Sure, social media influences the youth, but young people also need to know how to critically consume real news so their opinions aren’t dictated by algorithms.
On January 9th of last year, we released an article “MAGA-Flavored Imperialism” as part of the Through the Spyglass series. condemning President Trump’s stated goals of annexing Greenland and the Panama Canal.
A little over a year later, the issue has reared its ugly head once again and needs reiterating.
As previously stated: “The alleged “anti-war candidate” seems to be just fine with US Imperialism.”
We reiterate our commitment to Pan-Americanism and a true Good Neighbor Policy. We, the United States Pirate Party, recognize that the actions taken by the President will only lead to bad blood and strained relationships between ourselves and our neighbors.
We already kidnapped the President of Venezuela in the middle of the night, which, despite how you might feel about Nicolás Maduro, is an escalation the United States cannot afford to make. We have spoken as much about it here.
Now, trying his luck again, the allies we have chosen to keep in Europe are sending non-NATO troops to Greenland in order to protect it from a potential U.S. invasion.
If the President’s gambit is to prove a dying empire “still got it”, then his plan must be marked as a failure. The world is unamused by the United States positioning and actions, and the backlash we will have to face is one from which I’m unsure we will ever truly recover.
I understand people were tired of the status quo; we were too. But if this is the change of pace being offered, it is a marathon in the wrong direction.
Le mercredi 28 janvier à 19h, nous serons à La Flèche d'Or à Paris aux cotés de @TechnopoliceBXL pour parler des logiciels espions. Nous expliquerons les dangers de cette nouvelle forme de surveillance et reviendrons sur les origines de ce marché industriel, qui s'est principalement créé dans l'écosystème militaire israélien pour devenir aujourd'hui une menace dans de nombreux pays, dont la France. Toutes les informations sont à retrouver ici : agendamilitant.org/Logiciels-e…
Ces dix dernières années, nous avons vu émerger un marché mondial de logiciels espions prêts à l’emploi (Pegasus, Predator, etc.) qui permettent aux gouvernements de surveiller leurs citoyen·nes (…)
I ricercatori hanno scoperto una vulnerabilità critica nel plugin Modular DS per WordPress che ha permesso a hacker di compromettere oltre 40.000 siti con un metodo sorprendentemente semplice.
La vulnerabilità CVE-2026-23550
Il plugin Modular DS, installato su decine di migliaia di siti WordPress, presentava una falla di privilege escalation classificata con un punteggio CVSS di 10.0, il massimo livello di severità. Questa debolezza, identificata come CVE-2026-23550 e catalogata nel database di Positive Technologies, riguardava le versioni 2.5.1 e 2.5.2 e derivava da una mancanza di autenticazione adeguata nell’endpoint API /apimodular-connector/login. Gli attaccanti potevano inviare una richiesta GET a questo endpoint senza credenziali, sfruttando parametri come login, server-information e manager per elevare i privilegi e ottenere accesso amministrativo completo, inclusi moduli per il login, la gestione del server e i backup.
Patchstack ha rilevato le prime exploitation il 13 gennaio 2026 alle 02:00 UTC, con richieste anomale provenienti da IP come 45.11.89.19 e 185.196.0.11, che puntavano proprio a quell’endpoint vulnerabile. La tecnica non richiedeva payload complessi né exploit zero-day elaborati: bastava una semplice chiamata HTTP per bypassare i controlli e iniettare un account amministratore, permettendo l’esecuzione di comandi arbitrari sul server sottostante.
Il trucco con l’header Origin
Gli hacker hanno affinato l’attacco aggiungendo un header HTTP "Origin: mo.", una stringa apparentemente innocua che il plugin Modular DS interpretava come indicatore di una richiesta legittima proveniente dal dominio “originmo”. Questo header, combinato con la mancanza di validazione sull’API apimodular-connector, convinceva il sistema a trattare la chiamata come interna, eludendo ulteriori verifiche di sicurezza. In pratica, l’attaccante simulava una richiesta dal pannello di controllo del plugin stesso, ottenendo accesso istantaneo a funzionalità sensibili come la gestione dei backup e le informazioni sul server.
Tale approccio, definito il “metodo più pigro” dagli analisti, ha colpito siti vulnerabili in modo massivo perché non necessitava di scansioni personalizzate o tool avanzati: una semplice modifica all’header in una richiesta GET standard era sufficiente per compromettere l’intero ambiente WordPress. Positive Technologies ha dettagliato come questo meccanismo permettesse non solo l’elevazione di privilegi ma anche l’inserimento di backdoor persistenti, con potenziali ramificazioni su database e file system.
Impatto e risposta
L’exploit ha interessato circa 40.000 installazioni attive del plugin, esponendo siti a rischi di defacement, furto dati e ulteriore propagazione di malware tramite i manager di backup integrati. Patchstack ha rilasciato una patch urgente nella versione 2.5.2, che introduce validazioni rigorose sugli header Origin e sull’autenticazione API, bloccando richieste non autorizzate attraverso controlli nonce e verifica IP whitelisting.
Gli amministratori di WordPress devono verificare immediatamente la presenza del plugin Modular DS, aggiornarlo alla versione corretta e monitorare i log di accesso per endpoint sospetti come /apimodular-connector/.
Questa discussione è aperta anche su Feddit in @informatica
La Quadrature du Net
in reply to La Quadrature du Net • • •L'algorithme de notation de la CNAF attaqué devant le Conseil d'État par 15 organisations
La Quadrature du NetLa Quadrature du Net
in reply to La Quadrature du Net • • •Nous sommes désormais 25 organisations à nous mobiliser devant la justice contre cet algorithme discriminatoire. Syndicats, collectifs de personnes concernées, organisations européennes et françaises, associations de terrain ou non : tout le monde déteste l'algo de la CNAF.
Mais les critiques ne viennent pas seulement du monde associatif : la Défenseure des droits est venue au soutien de notre recours en octobre dernier pour confirmer la discrimination de cet algorithme.
La Quadrature du Net
in reply to La Quadrature du Net • • •Disreputable_Craftsman reshared this.
La Quadrature du Net
in reply to La Quadrature du Net • • •La CNAF refuse la vérité : il n'est pas possible de réparer son algorithme. Celui-ci est le résultat de la politique française anti-pauvres. Et pourtant, le législateur persiste dans sa destruction de l'État social, notamment avec le projet de loi sur la fraude actuellement en discussion et que nous analysions en décembre.
laquadrature.net/2025/12/15/pj…
PJL Fraudes sociales et fiscales: un flicage qui n’en finit pas
La Quadrature du NetDisreputable_Craftsman reshared this.
La Quadrature du Net
in reply to La Quadrature du Net • • •La Quadrature du Net
in reply to La Quadrature du Net • • •Ce combat contre la gestion algorithmique des populations, La Quadrature du Net le mène depuis 2022 avec sa campagne France Contrôle. Alors pour nous aider à lutter, contre l'algorithme de scoring de la CNAF et au-delà, vous pouvez nous faire un don si vous le pouvez ! ❤
laquadrature.net/donner
Faites un don à La Quadrature du Net
La Quadrature du NetArsène Ω🔻🌐🏳️🌈
in reply to La Quadrature du Net • • •Je viens de poster à l’instant un lien vers la page de Solidaires sur ce sujet.
mamot.fr/@Arsene/1159270945664…
Arsène Ω🔻🌐🏳️🌈 (@Arsene@mamot.fr)
Mamot - Le Mastodon de La Quadrature du NetLaura🪷
in reply to La Quadrature du Net • • •Laura🪷
in reply to La Quadrature du Net • • •La méthode de publication du code source du soit disant algorithme est sacrément opaque, il faut cliquer sur 3-4 liens sur des pages differentes depuis l'article sur le site de la CAF qui annonce la publication du code source, on se voit offert des explications et justifications nombreuses alors que tout ce qui compte c'est le code exact en pratique car c'est lui qui produit les résultats et non les explications de la CAF
On peut le trouver sur : caf.fr/professionnels/etudes-e…
Tout en bas il y a des liens vers "Modele 1" "Modele 2", ce sont des fichiers HTML de visualisation de "notebook" Python, pas de git rien, aucune assurance que ce qui est publié reste la même chose dans le futur, il n'y a aucun bouton pour correctement télécharger les fichiers. Pourquoi est-ce qu'on a l'impression que la CAF fait tout pour que personne ne puisse aisément télécharger ce code?
Radware Bot Manager Block
www.caf.frLopez φ
in reply to La Quadrature du Net • • •Satin Thérèse
in reply to La Quadrature du Net • • •