Aggregator

Submit #811316 / VDB-364386

A vulnerability was found in adenhq hive up to 0.11.0. It has been classified as critical. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. This vulnerability was named CVE-2026-8757. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c and classified as critical. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. This vulnerability is uniquely identified as CVE-2026-8756. The attack can be launched remotely. Moreover, an exploit is present. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c and classified as critical. The affected element is the function _get_all_models of the file hiyoriUI.py of the component Model Handler. This manipulation causes path traversal. This vulnerability is handled as CVE-2026-8755. The attack can be initiated remotely. Additionally, an exploit exists. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #811283 / VDB-364385

Submit #811276 / VDB-364384

A vulnerability, which was classified as critical, was found in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. This vulnerability is known as CVE-2026-8754. It is possible to launch the attack remotely. Furthermore, an exploit is available. You should upgrade the affected component.

Submit #811175 / VDB-364383

Submit #811173 / VDB-364382

Submit #811172 / VDB-364381

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Exchange Server, tracked as CVE-2026-42897 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog. This week, Microsoft warned that threat actors are […]

87% пользователей просят у ИИ личных советов. Куда это может нас привести?

暨南大学、华中科技大学和清华大学的研究人员在《One Earth》期刊上发表论文，调查了烂尾楼（或称之为未完工建筑项目）的情况。过去几十年烂尾楼数量激增，研究人员收集了 142 个城市的 1,779 个烂尾楼地理数据。结果发现，烂尾楼浪费了 485±42 百万吨建筑材料，使房地产业碳排放强度提高了 9.6%，产生的 PM2.5 细颗粒物造成了 260 万生命年的健康损失，导致购房者、开发商和承包商承担了 3470±320 亿美元的经济损失。研究人员指出烂尾楼经济损失集中在新开发郊区，加剧了社会不平等。2019-2023 年间，全国范围内的烂尾楼占用了逾 164（±8）平方公里的城市开发用地，建筑面积达 415（±56）平方公里。

Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems. Microsoft researchers say the malware allows attackers to maintain long-term control while making detection […]

A vulnerability, which was classified as critical, has been found in kalcaddle Kodbox up to 1.64. This issue affects the function parseVideoInfo of the file /workspace/source-code/plugins/fileThumb/lib/VideoResize.class.php of the component fileThumb Plugin. The manipulation of the argument ffmpegBin leads to command injection. This vulnerability is traded as CVE-2026-8753. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in h2oai h2o-3 up to 7402. This vulnerability affects the function exec of the file h2o-core/src/main/java/water/rapids/ast/prims/misc/AstSetProperty.java of the component Rapids setproperty Primitive Handler. Executing a manipulation can lead to improper access controls. This vulnerability appears as CVE-2026-8752. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. This vulnerability is reported as CVE-2026-8751. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as problematic has been identified in h2oai h2o-3 up to 7402. Affected by this issue is the function importFiles of the file h2o-core/src/main/java/water/persist/PersistNFS.java of the component ImportFile API. Such manipulation leads to information disclosure. This vulnerability is documented as CVE-2026-8750. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #810109 / VDB-364380