Aggregator

该漏洞源于服务端 authorized() 中间件在识别 Webhook 路径时使用了非锚定正则表达式，导致其错误地匹配了 URL 中的查询参数。远程攻击者只需在 API 请求末尾拼接特定的 Webhook 路径字符串（如 ?/webhooks/trigger），即可绕过身份认证、角色鉴权及 CSRF 防护，实现对服务端所有 API 端点的完全访问与操作。

引言随着大型语言模型（LLM）和深度学习技术在安全领域的广泛应用，传统的基于特征码、抽象语法树（AST）或沙箱行为分析的 Webshell 检测手段正逐渐向基于 AI 的语义分析演进。AI 模型能够理解代码的逻辑意图，从而识别出经过复杂混淆的恶意脚本。然而，AI 模型本身存在一个本质性的弱点：它们在处理代码时，往往将代码逻辑与注释、元数据等“非执行内容”置于同一语义空间进行推理。这就为提示词注入（

U.S. agencies warn Iran-linked threat actors are targeting internet-exposed PLCs used in critical infrastructure networks. U.S. agencies, including the FBI and CISA, warn that Iran-linked hackers are targeting internet-exposed Rockwell/Allen-Bradley PLCs used in critical infrastructure. The agencies published a joint advisory involving multiple federal organizations. “Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity […]

OpenSSL has released a broad April 2026 security update that fixes seven vulnerabilities across supported branches, led by CVE-2026-31790, a moderate-severity flaw in RSA KEM RSASVE encapsulation that can expose uninitialized memory to a malicious peer. The advisory directs users of vulnerable 3.x releases to move to OpenSSL 3.0.20, 3.3.7, 3.4.5, 3.5.6, or 3.6.2, depending […]

The post Multiple OpenSSL Vulnerabilities Exposes Sensitive Data in RSA KEM Handling appeared first on Cyber Security News.

A vulnerability identified as problematic has been detected in Apple macOS up to 14.6/15.1. This impacts an unknown function. Performing a manipulation results in information disclosure. This vulnerability is identified as CVE-2024-54519. The attack is only possible with local access. There is not any exploit available. You should upgrade the affected component.

A vulnerability identified as critical has been detected in Apple tvOS. Affected by this issue is some unknown functionality. The manipulation leads to memory corruption. This vulnerability is referenced as CVE-2024-54518. The attack can only be performed from a local environment. No exploit is available. You should upgrade the affected component.

A vulnerability labeled as critical has been found in Apple macOS. This affects an unknown part. The manipulation results in memory corruption. This vulnerability is identified as CVE-2024-54518. The attack is only possible with local access. There is not any exploit available. The affected component should be upgraded.

A vulnerability marked as critical has been reported in Apple watchOS. This vulnerability affects unknown code. This manipulation causes memory corruption. This vulnerability is tracked as CVE-2024-54518. The attack is restricted to local execution. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability described as critical has been identified in Apple iOS and iPadOS. This issue affects some unknown processing. Such manipulation leads to memory corruption. This vulnerability is listed as CVE-2024-54518. The attack must be carried out locally. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Apple tvOS. Impacted is an unknown function. Performing a manipulation results in memory corruption. This vulnerability is cataloged as CVE-2024-54522. The attack must be initiated from a local position. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Apple macOS. The affected element is an unknown function. Executing a manipulation can lead to memory corruption. This vulnerability is registered as CVE-2024-54522. The attack needs to be launched locally. No exploit is available. Upgrading the affected component is advised.

A vulnerability, which was classified as critical, has been found in Apple watchOS. The impacted element is an unknown function. The manipulation leads to memory corruption. This vulnerability is documented as CVE-2024-54522. The attack needs to be performed locally. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Apple iOS and iPadOS. This affects an unknown function. The manipulation results in memory corruption. This vulnerability is reported as CVE-2024-54522. The attack requires a local approach. No exploit exists. You should upgrade the affected component.

A vulnerability has been found in Apple tvOS and classified as critical. This impacts an unknown function. This manipulation causes memory corruption. This vulnerability appears as CVE-2024-54517. The attack requires local access. There is no available exploit. The affected component should be upgraded.

A vulnerability was found in Apple macOS and classified as critical. Affected is an unknown function. Such manipulation leads to memory corruption. This vulnerability is traded as CVE-2024-54517. An attack has to be approached locally. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability was found in Apple watchOS. It has been classified as critical. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in memory corruption. This vulnerability is known as CVE-2024-54517. Attacking locally is a requirement. No exploit is available. Upgrading the affected component is recommended.

A vulnerability was found in Apple iOS and iPadOS. It has been declared as critical. Affected by this issue is some unknown functionality. Executing a manipulation can lead to memory corruption. This vulnerability is handled as CVE-2024-54517. It is possible to launch the attack on the local host. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Apple macOS up to 13.6/14.6/15.1. It has been rated as critical. This affects an unknown part. The manipulation leads to path traversal. This vulnerability is uniquely identified as CVE-2024-54520. Local access is required to approach this attack. No exploit exists. Upgrading the affected component is advised.

2026数字中国创新大赛数字安全赛道暨 三明市第六届“红明谷”杯 pwn 全解解析 附带附件

本文旨在研究 PDF 解析器 Xpdf 中的深度递归漏洞（CVE-2019-13288）。通过使用 AFL++ 模糊测试工具对 Xpdf 3.02 进行压力测试，成功捕获了由于畸形 PDF 文件引起的拒绝服务（DoS）崩溃