Aggregator

7月全球数据泄露态势月度报告，欢迎查看

A vulnerability classified as critical has been found in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. This vulnerability is cataloged as CVE-2025-9151. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

为了知识，为了永不消逝的黑客精神

A vulnerability described as critical has been identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317. Affected is an unknown function of the file /admin/violation_add.php?id=2. Such manipulation of the argument ID leads to sql injection. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is listed as CVE-2025-9150. The attack may be performed from a remote location. In addition, an exploit is available. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed.

Submit #629873 / VDB-320530

A vulnerability marked as critical has been reported in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. This vulnerability is tracked as CVE-2025-9149. The attack is possible to be carried out remotely. Moreover, an exploit is present.

Submit #629618 / VDB-320529

Submit #629181 / VDB-320528

A vulnerability labeled as critical has been found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. This vulnerability is identified as CVE-2025-9148. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A sophisticated malware campaign has been identified, utilizing PipeMagic, a highly modular backdoor deployed by the financially motivated threat actor Storm-2460.  This advanced malware masquerades as a legitimate open-source ChatGPT Desktop Application while exploiting the zero-day vulnerability CVE-2025-29824 in Windows Common Log File System (CLFS) to deploy ransomware across multiple sectors globally. Key Takeaways1. PipeMagic […]

The post PipeMagic Malware Mimic as ChatGPT App Exploits Windows Vulnerability to Deploy Ransomware appeared first on Cyber Security News.

Submit #628912 / VDB-320527

在自然界中，多数雄性果蝇通过快速振动翅膀来创造声音模式或“求爱之歌”来求爱。然而 Drosophila subobscura 演化出了一种非常不同的策略：雄性提供食物，并在求偶期间将其作为礼物送给雌性。这种行为在近亲物种中并不存在，比如 D. melanogaster（黑腹果蝇）。两种果蝇大约在 3000 万到 3500 万年前分化。它们都有一个叫做“fruitless”或简称“fru”的基因，控制雄性的求偶行为，但它们使用不同的策略——一个物种唱歌，另一个物种送礼物。研究人员发现了这种差异的原因：在送礼物的果蝇（D. subbobscura）中，产生胰岛素的神经元与大脑中的求爱控制中心相连，而在唱歌的果蝇（D. melanogaster）中，这些细胞保持不连接。通过打开产生胰岛素的神经元中的一个基因，研究小组成功地让黑腹果蝇完成了它以前从未做过的送礼物求偶。

A vulnerability identified as problematic has been detected in jasonclark getsemantic up to 040c96eb8cf9947488bd01b8de99b607b0519f7d. The impacted element is an unknown function of the file /index.php. The manipulation of the argument view leads to cross site scripting. This vulnerability is referenced as CVE-2025-9147. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way.

印度尼西亚，正以一种前所未有的姿态，重塑其国防战略，而这一切的幕后推手，正是新任总统普拉博沃·苏比安托。他的

模因战争：从猫咪表情包到认知武器近年来，一个看似荒诞的场景正在上演：美国军事智库和国防机构严肃地投入巨资研究“

Enterprise security strategies have evolved dramatically to address modern threats, yet SSH keys—critical cryptographic credentials that provide direct access to mission-critical systems—remain largely ungoverned and poorly managed across organizations. Despite their fundamental role in securing remote access to servers, cloud infrastructure, and automated processes, SSH keys represent one of the most significant blind spots in […]

The post SSH Keys Are Crucial for Secure Remote Access but Often Remain a Blind Spot in Enterprise Security appeared first on Cyber Security News.

由 NASA 与法国国家空间研究中心（CNES）联合研制的地表水和海洋地形卫星（SWOT）所提供的数据，正助力改进海啸预报模型，为沿海社区带来福祉。当地震或水下滑坡等扰动的强度足以让从海底到海面的水体发生位移时，就会引发海啸。当地时间 7 月 30 日 11 时 25 分，俄罗斯堪察加半岛近海发生 8.8 级地震并引发海啸，SWOT 在地震发生约 70 分钟后记录下了此次海啸。SWOT 数据从多个维度呈现了堪察加地震引发的海啸前沿情况。测量数据包括超过 45 厘米的波高——在高亮轨迹中以红色显示，以及海啸前沿的形状和传播方向。在视觉图像中从西南向东北延伸的高亮区域所示的 SWOT 数据，与美国国家海洋和大气管理局（NOAA）海啸研究中心制作的海啸预报模型形成对比。将二者进行比对，有助于预报人员验证模型，确保准确性。

Submit #628786 / VDB-320526

A vulnerability categorized as problematic has been discovered in Linksys E5600 1.1.0.26. The affected element is the function verify_gemtek_header of the file checkFw.sh of the component Firmware Handler. Executing manipulation can lead to risky cryptographic algorithm. The identification of this vulnerability is CVE-2025-9146. The attack may be launched remotely. There is no exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Уязвимости «РЕД Базы Данных» будут искать на Standoff Bug Bounty.