Aggregator

小满 | 小满已至 谨护网安

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

我拿到的第一只经典川量票

三星电子工会在 20 日 23 时总罢工启动仅剩最后 1 个小时之际，与三星电子公司戏剧性地达成了协议，罢工终止。根据双方达成的就绩效奖金方案初步协议，负责半导体业务的设备解决方案（DS）部门员工今年有望获得最高约 6 亿韩元（约合人民币 272.3 万元）的绩效奖金。劳资商定维持既有的年终绩效奖金（OPI）制度的同时，为 DS 部门新设半导体特别绩效奖金。公司将拿出业绩的 10.5% 作为特别绩效奖金资金来源，不设上限。资金来源中的 40% 将分配给 DS 部门，其余 60% 分配给子部门，向行政部门统一发放的绩效奖金为 DS 子部门存储芯片事业部的 70% 水平。人均绩效奖金规模有望达 6 亿韩元。

2026年1月1日-6月5日，在以上期间内提交过补天众测有效漏洞（厂商审核通过）的白帽师傅均可获得1份2026补天定制端午礼盒。

活动时间：5月21日-6月4日

A vulnerability was found in FlowiseAI Flowise up to 3.0.12. It has been declared as critical. This vulnerability affects the function axios.get of the file packages/components/nodes/documentloaders/API/APILoader.ts of the component API Document Loader Component. Executing a manipulation of the argument pageContent can lead to server-side request forgery. This vulnerability is handled as CVE-2026-43995. The attack can be executed remotely. Additionally, an exploit exists. It is recommended to upgrade the affected component.

A vulnerability was found in FlowiseAI Flowise up to 3.0.12. It has been rated as critical. This issue affects the function validateMCPServerConfig of the component Custom MCP Component. The manipulation leads to server-side request forgery. This vulnerability is uniquely identified as CVE-2026-43995. The attack is possible to be carried out remotely. Moreover, an exploit is present. Upgrading the affected component is advised.

A vulnerability categorized as critical has been discovered in FlowiseAI Flowise up to 3.0.12. Impacted is the function loadOpenApiSpec of the file packages/components/nodes/tools/OpenAPIToolkit/OpenAPIToolkit.ts of the component OpenAPI Toolkit. The manipulation results in server-side request forgery. This vulnerability was named CVE-2026-43995. The attack may be performed from remote. In addition, an exploit is available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.18.18/6.19.8. Impacted is the function bpf_xdp_pull_data of the component mlx5e. Executing a manipulation can lead to privilege escalation. The identification of this vulnerability is CVE-2026-43465. The attack needs to be done within the local network. There is no exploit available. You should upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.18.18/6.19.8. It has been classified as problematic. This affects the function bpf_xdp_pull_data of the component mlx5e. This manipulation causes privilege escalation. This vulnerability is tracked as CVE-2026-43464. The attack is only possible within the local network. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in Linux Kernel up to 6.18.18/6.19.8. It has been declared as critical. The impacted element is the function aml_sfc_dma_buffer_setup of the component spi. Such manipulation leads to buffer overflow. This vulnerability is referenced as CVE-2026-43461. The attack needs to be initiated within the local network. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.18.18/6.19.8. It has been rated as critical. This affects the function rxrpc_kernel_lookup_peer. Performing a manipulation results in allocation of resources. This vulnerability is identified as CVE-2026-43463. The attack can only be performed from the local network. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability has been found in Linux Kernel up to 6.6.129/6.12.77/6.18.18/6.19.8 and classified as critical. Impacted is the function ufshcd_add_command_trace of the component scsi. This manipulation causes null pointer dereference. This vulnerability appears as CVE-2026-43471. The attacker needs to be present on the local network. There is no available exploit. The affected component should be upgraded.

A vulnerability classified as critical has been found in Linux Kernel up to 6.19.8. This impacts the function sps30_i2c_read_meas of the component iio. Performing a manipulation results in buffer overflow. This vulnerability is reported as CVE-2026-43476. The attacker must have access to the local network to execute the attack. No exploit exists. It is recommended to upgrade the affected component.

本周，互联网网络安全态势整体评价为良。

Thank you to Ihar Yatsevich for writing in about his release of rpitx-ui, a modernized fork of F5OE