Aggregator

A vulnerability classified as critical was found in CodeAstro Student Attendance Management System 1.0. This impacts an unknown function of the file /attendance-php/Admin/createClass.php?action=edit. The manipulation of the argument ID results in sql injection. This vulnerability is known as CVE-2026-11584. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability classified as critical has been found in CodeAstro Student Attendance Management System 1.0. This affects an unknown function of the file /attendance-php/Admin/createClass.php. The manipulation of the argument className leads to sql injection. This vulnerability is traded as CVE-2026-11583. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability described as critical has been identified in CodeAstro Student Attendance Management System 1.0. The impacted element is an unknown function of the file /attendance-php/index.php. Executing a manipulation of the argument Username can lead to sql injection. This vulnerability appears as CVE-2026-11582. The attack may be performed from remote. In addition, an exploit is available.

Submit #836800 / VDB-369182

Submit #836799 / VDB-369181

Submit #836798 / VDB-369180

Submit #836796 / VDB-369179

A vulnerability marked as problematic has been reported in Check Point Quantum Security Gateway and Spark Firewalls. The affected element is an unknown function. Performing a manipulation results in improper certificate validation. This vulnerability is reported as CVE-2026-50752. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as critical has been found in Check Point Quantum Security Gateway and Spark Firewalls. Impacted is an unknown function of the component IKEv1 Key Exchange Handler. Such manipulation leads to improper authentication. This vulnerability is documented as CVE-2026-50751. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in Red Hat Quay 3. This issue affects some unknown processing of the component Filedrop Endpoint. This manipulation causes cross site scripting. This vulnerability is registered as CVE-2026-11569. Remote exploitation of the attack is possible. No exploit is available.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
• CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability

These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

A vulnerability categorized as problematic has been discovered in wpzoom Recipe Card Blocks Lite Plugin up to 3.4.13 on WordPress. This vulnerability affects the function WPZOOM_Helpers::deserialize_block_attributes. The manipulation of the argument summary/notes results in cross site scripting. This vulnerability is cataloged as CVE-2026-3011. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Webkul Bagisto 2.4.1. It has been rated as critical. This affects an unknown part of the component ImageCacheController. The manipulation of the argument filename leads to path traversal. This vulnerability is listed as CVE-2026-9506. The attack may be initiated remotely. There is no available exploit.

Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity,

Что известно о группировке Pink, которая не взламывает системы, а просто просит пустить внутрь.

Ridge Security has announced the release of RidgeBot 7.0, an update to its automated security validation platform that introduces automated Windows Active Directory penetration testing capabilities. The new version enables organizations to conduct end-to-end domain compromise simulations, helping security teams identify attack paths and prioritize exploitable risks. RidgeBot 7.0 delivers automated Active Directory penetration testing scenarios that include enumeration, credential extraction, lateral movement, and Domain Admin path validation. All attack activities are mapped to the … More →

The post RidgeBot 7.0 automates Active Directory attack simulations for security validation appeared first on Help Net Security.

Meta says an Instagram recovery tool bug allowed attackers to abuse password resets, affecting 20,225 accounts and exposing users without 2FA to account takeover risk.

ConnectSecure has announced the launch of Patch 360, a patch management solution built for managed service providers (MSPs) to reduce deployment risk while accelerating vulnerability remediation. Patch management has long followed a “deploy-and-hope” model, with teams addressing critical issues only after users are impacted. Patch 360 replaces that approach with a rigorous test-and-trust framework that allows MSPs to validate patches before broad deployment, with visibility from prioritization and pilot testing through rollout and rollback. “As … More →

The post ConnectSecure’s Patch 360 gives MSPs control over patch testing and deployment appeared first on Help Net Security.

Microsoft показала устройства, которые заменят обычный компьютер на работе.

The University of Oxford disclosed a new data breach last week after being informed by its third-party provider, Group GTI, that its CareerConnect career services platform had been compromised. [...]