Aggregator

美国网络安全和基础设施安全局（CISA）及其G7合作伙伴发布了关于AI软件物料清单（AI SBOM）的最低要素指南。

A critical authentication bypass vulnerability facilitating unauthenticated remote code execution (RCE) has been isolated within the ChromaDB architecture.

The post ChromaToast Exploit: Unpatched CVSS 10.0 Flaw Grants Pre-Auth RCE in ChromaDB Python Server appeared first on Information Security News.

During the previous summer season, the sovereign nation of Luxembourg suffered a catastrophic, near-total collapse of its domestic

The post The Silent Blackout: Unpatched Huawei Router Zero-Day Crushed Luxembourg’s Telecom Grid appeared first on Information Security News.

GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]

上周五，中国海关将去年 8 月英伟达为通过美国出口管制规定而推出的 RTX 5090DV2 显卡列入封禁清单。该清单最初包括 H200 和 H20。H20 是英伟达此前在中国市场销售的另一款中国特供芯片。在京东和淘宝等主要电商平台，RTX 5090DV2 仍在销售，价格在 1.8 万-2.2 万元之间，意味着现有库存仍然能正常销售，但随着进口的消失，其数量将会越来越少。

事件仍在调查中

速修复

Discord now enables end-to-end encryption by default for all voice and video calls, making conversations inaccessible even to the platform itself. No announcement fanfare, no opt-in required, no settings to dig through. Discord flipped a switch on Monday and end-to-end encryption is now the default for every voice and video call on the platform. If […]

Почему старые критерии больше не работают и на что обратить внимание сейчас

攻击者通过伪装成“接手维护”的方式获取开源项目art-template的控制权，随后在其4.13.5和4.13.6版本中植入恶意代码。该恶意代码在被下游应用调用时，会在用户浏览器中注入远程脚本加载器，将iOS Safari用户重定向至包含类似Coruna漏洞利用框架的水坑站点。

Google 周三公开了一个未修复 Chromium 漏洞的利用代码。该漏洞影响所有使用基于 Chromium 浏览器的用户。独立安全研究员 Lyra Rebane 在 2022 年底向 Google 报告了漏洞，但 29 个月后它仍然没有修复。本周三上午 Google 向 Chromium 的 bug 跟踪系统披露了漏洞，Rebane 一开始以为漏洞已经修复了，结果发现根本没有。Google 虽然之后删除了帖子，但其内容已被其它网站存档。该漏洞滥用了 Chromium 的 Browser Fetch API 打开一个持续活动的 Service Worker，恶意网站可通过 JavaScript 触发该 Service Worker 创建连接，监视用户的部分活动，它还可作为代理访问网站和发起 DDoS 攻击。安全研究人员认为这是一个严重的漏洞，它实际上相当于一个受限的后门，将浏览器变成僵尸网络的一部分。

Взломщикам достались домашние адреса, телефоны и маршруты поездок миллионов семей.

A vulnerability was found in themefusion Avada Builder Plugin up to 3.15.2 on WordPress and classified as problematic. This issue affects some unknown processing of the component Dynamic Data Feature. Executing a manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2026-1543. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability has been found in MLflow up to 3.9.x and classified as critical. This vulnerability affects unknown code of the component REST API. Performing a manipulation of the argument BEFORE_REQUEST_VALIDATORS/AFTER_REQUEST_HANDLERS results in improper access controls. This vulnerability was named CVE-2026-2734. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in themefusion Avada Builder Plugin up to 3.15.2 on WordPress. This affects the function Fusion_Builder_Conditional_Render_Helper::get_value of the component AJAX Endpoint. Such manipulation leads to injection. This vulnerability is uniquely identified as CVE-2026-6279. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

Объективно измерить подлинные навыки теперь абсолютно невозможно.

Dark web activity often becomes visible during marketplace seizures, major data leaks, or sudden spikes in criminal activity. Those events can create an impression of an ecosystem where attention shifts quickly and new trends regularly replace old ones. A six-year dataset covering more than 25,000 dark web sites tracked what people discussed in underground forums and marketplaces and how those discussions changed over time. The work drew from more than 11 million archived snapshots collected … More →

The post Most dark web activity revolves around a handful of topics appeared first on Help Net Security.

Двойная ошибка, которая поставила под удар всю инфраструктуру FTF Live.