Aggregator

A vulnerability identified as problematic has been detected in Amazon Athena ODBC Driver 2.0.5.1. Affected is an unknown function of the component Browser-based Authentication. This manipulation causes missing authorization. The identification of this vulnerability is CVE-2026-35561. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability was found in emqx CocoaMQTT up to 2.2.1. It has been rated as problematic. This affects an unknown function of the component Retained Message Handler. Performing a manipulation results in reachable assertion. This vulnerability is cataloged as CVE-2026-30867. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability, which was classified as critical, has been found in budibase up to 3.33.3. This affects the function blacklist of the component Environment Variable Handler. The manipulation of the argument BLACKLIST_IPS leads to server-side request forgery. This vulnerability is documented as CVE-2026-31818. The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in AcademySoftwareFoundation OpenEXR up to 3.4.7. This affects the function exr_decoding_run of the component EXR File Parser. Executing a manipulation can lead to integer overflow. This vulnerability is tracked as CVE-2026-34544. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability was found in SignalK signalk-server up to 2.23.x and classified as critical. The affected element is an unknown function of the file /signalk/v1/api/sourcePriorities of the component HTTP Endpoint. Such manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2026-33951. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability identified as critical has been detected in SignalK signalk-server up to 2.24.0-beta.3. Affected by this vulnerability is an unknown functionality of the file /enableSecurity of the component Server Configuration Handler. This manipulation causes improper authorization. This vulnerability is tracked as CVE-2026-33950. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability labeled as critical has been found in SignalK signalk-server up to 2.23.x. Affected by this issue is the function redirect_uri of the component HTTP Host Header Handler. Such manipulation leads to origin validation error. This vulnerability is listed as CVE-2026-34083. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

A vulnerability classified as problematic has been found in AcademySoftwareFoundation OpenEXR up to 3.4.7. The impacted element is an unknown function of the component EXR File Parser. Performing a manipulation results in uninitialized resource. This vulnerability is identified as CVE-2026-34543. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Budibase up to 3.33.3. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in os command injection. This vulnerability is cataloged as CVE-2026-25044. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

嗯，用户让我帮忙总结一篇文章，控制在100字以内，而且不需要特定的开头。首先，我需要仔细阅读文章内容。文章讲的是ICE购买间谍软件用于打击毒品贩运案件，提到ICE代理局长托德·莱昂斯给国会议员的信中说明了购买和使用间谍软件的情况，并且强调符合宪法要求，没有重大安全风险。 接下来，我得提取关键信息：ICE、购买间谍软件、打击毒品贩运、Paragon Solutions制造、符合宪法要求、无重大安全风险。然后把这些信息浓缩成一句话，不超过100字。 可能的结构是：ICE购买间谍软件用于打击毒品贩运案件，强调符合宪法和无安全风险。这样既简洁又涵盖了主要内容。 最后，检查字数是否在限制内，并确保没有使用不需要的开头。这样用户的需求就满足了。 美国移民和海关执法局（ICE）购买并使用间谍软件打击毒品贩运案件，强调符合宪法要求且无重大安全风险。

Group Resurrects Hacker Site Despite Multiple Law Enforcement Disruptions
Drama continues to come fast and furious in BreachForums land, as the ShinyHunters group announced that it's rebooted the long-running and oft-disrupted forum yet again, just weeks after it got hacked and its databases dumped, leading the previous admin to allegedly exit scam and steal $4,000.

Market Pressures Are Rewarding Storytelling More Than Validation, Operational Value
The fall of health tech company Theranos exposed how hype can outpace reality. In cybersecurity, similar pressures are emerging as vendors compete with bold claims and buyers struggle to verify outcomes. The result: a market where narrative can overshadow measurable operational value.

Device Maker Is Still Investigating March 11 Attack Claimed by Iranian Hacktivists
Medical tech maker Stryker said it has restored its systems and is operational across its global manufacturing network three weeks after a wiper attack by Iranian hacktivist group Handala led to a worldwide outage at the company. The firm is continuing to investigate the incident.

Also: RSAC Speakers Warn AI Is Outpacing Security, DoD's Zero Trust Reality Check
In this week's panel, four ISMG editors discussed growing cyber risks in healthcare following recent vendor breaches, key takeaways from RSAC Conference and whether the Pentagon's zero trust push is delivering real security benefits or just checking off boxes.

AI Dependency Attack Reportedly Exposes Data and Source Code
A LiteLLM supply-chain compromise enabled attackers to harvest credentials and access internal environments at scale at Mercor. The firm was the first to confirm a LiteLLM breach, and researchers are warning about growing AI system exposure and limited visibility.

Report Reveals Growing Trend of Fraudsters Intercepting SMS-Based Verification
Financial institutions have historically relied on one-time passcodes as a primary authentication control for their accountholders. But OTP verification is less reliable as fraudsters increasingly exploit SMS-based verification weaknesses to carry out account takeover and payment fraud schemes.