Aggregator

A vulnerability has been found in Sequelize up to 6.37.7 and classified as critical. Affected by this vulnerability is the function _traverseJSON. This manipulation causes sql injection. This vulnerability is registered as CVE-2026-30951. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

A vulnerability was found in grpc grpc-go up to 1.79.2. It has been declared as critical. Impacted is an unknown function. Such manipulation leads to improper authorization. This vulnerability is listed as CVE-2026-33186. The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability was found in Lodash up to 4.17.x and classified as critical. Affected by this issue is the function Function of the component Parameter Handler. The manipulation of the argument options.imports results in code injection. This vulnerability was named CVE-2026-4800. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability classified as critical has been found in Squid Web Proxy up to 6.3. Affected by this vulnerability is an unknown functionality of the component URN Handler. The manipulation leads to heap-based buffer overflow. This vulnerability is uniquely identified as CVE-2025-54574. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability was found in go-jose up to 3.0.4/4.1.3 on JSON. It has been declared as problematic. Affected by this vulnerability is the function cipher.KeyUnwrap. Executing a manipulation can lead to uncaught exception. The identification of this vulnerability is CVE-2026-34986. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

Старый хищник освоил новые повадки и стал гораздо придирчивее к окружению.

今年 OffensiveCon 又在老地方柏林希尔顿举办。上一次去 OffensiveCon 是两年前了，当

电脑越用越乱，大概是很多人的共同问题。桌面文件堆成山、截图随手乱放、下载目录简直一团乱麻；想找一个文档，结果翻了半天才发现藏在不知道哪个文件夹里。更崩溃的是 —— 很多时候不是电脑硬件配置不够用，而是

Carding forum B1ack’s Stash claims to have released millions of stolen CVV2 payment card records for free after suspending sellers. B1ack’s Stash, one of the most active stolen card marketplaces on the dark web, has released 4.6 million credit card records for free, not because of a law enforcement action or a system compromise, but […]

Carding site B1ack’s Stash dumps 4.6 Million stolen cards for free

本次 Shai-Hulud 供应链投毒行动是一场规模大、效率高、隐蔽层次深的 npm 生态攻击。

环境异常 当前环境异常，完成验证后即可继续访问。 去验证

Преступники заставили легальные программы качать вирусы.

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2008-4250 Microsoft Windows Buffer Overflow Vulnerability
• CVE-2009-1537 Microsoft DirectX NULL Byte Overwrite Vulnerability
• CVE-2009-3459 Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
• CVE-2010-0249 Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability
• CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

New Industry Data Just Released Suggests Not. On May 19th, 2026, Orchid Security released the results of our Identity Gap: Snapshot 2026. Among the findings, "identity dark matter" (the unseen, unmanaged elements of identity) now overshadows the visible elements 57% vs. 43%. And it couldn't have occurred at a worse time, with enterprises embracing Agent AI with both arms (and unfortunately, as

Identity Security / Enterprise SecurityNew Industry Data Just Released Suggests Not.On May 19th

A vulnerability labeled as critical has been found in Mozilla Firefox up to 149. The affected element is an unknown function of the component Cocoa. The manipulation results in use after free. This vulnerability is reported as CVE-2026-6759. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.

A vulnerability marked as critical has been reported in Mozilla Firefox up to 149. This issue affects some unknown processing of the component postMessage. The manipulation leads to Remote Code Execution. This vulnerability is traded as CVE-2026-6755. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability identified as critical has been detected in Mozilla Firefox up to 149. Impacted is an unknown function of the component WebAssembly. The manipulation leads to use after free. This vulnerability is documented as CVE-2026-6758. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability classified as problematic was found in Mozilla Firefox up to 149 on Android. Affected is an unknown function. Executing a manipulation can lead to an unknown weakness. This vulnerability is handled as CVE-2026-6756. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.