Aggregator

近日，绿盟科技CERT监测到网上披露了Linux内核Fragnesia权限提升漏洞（CVE-2026-46300）。CVSS评分7.8，目前漏洞细节与PoC已公开，请相关用户尽快采取措施进行防护。

A new Darktrace report reveals how Chinese hackers use fake Apple and Yahoo sites and the FDMTP malware framework to spy on organisations.

A vulnerability labeled as critical has been found in Snort 2.9.7.0-WIN32. Affected is an unknown function in the library tcapi.dll of the component Library Handler. Executing a manipulation can lead to untrusted search path. This vulnerability is registered as CVE-2016-1417. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability identified as problematic has been detected in serve-index Package up to 1.6.2 on Node.js. Affected by this issue is some unknown functionality of the component File Name Handler. Performing a manipulation results in cross site scripting. This vulnerability is identified as CVE-2015-8856. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability labeled as critical has been found in uglify-js Package up to 2.4.23 on Node.js. This affects an unknown part. Executing a manipulation can lead to 7pk security features. This vulnerability is tracked as CVE-2015-8857. The attack can be launched remotely. No exploit exists. The affected component should be upgraded.

A vulnerability marked as problematic has been reported in uglify-js Package up to 2.5.x on Node.js. This vulnerability affects unknown code of the component Regex Handler. The manipulation leads to improper resource management. This vulnerability is listed as CVE-2015-8858. The attack may be initiated remotely. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability described as problematic has been identified in send Package up to 0.11.0 on Node.js. This issue affects some unknown processing. The manipulation results in information disclosure (Path). This vulnerability is cataloged as CVE-2015-8859. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in tar Package up to 1.x on Node.js. Impacted is an unknown function. This manipulation causes link following. This vulnerability is registered as CVE-2015-8860. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic was found in handlebars Package up to 3.x on Node.js. The affected element is an unknown function of the component Template Handler. Such manipulation leads to cross site scripting. This vulnerability is documented as CVE-2015-8861. The attack can be executed remotely. Additionally, an exploit exists. Upgrading the affected component is advised.

A vulnerability, which was classified as problematic, has been found in mustache Package up to 2.2.0 on Node.js. The impacted element is an unknown function of the component Template Handler. Performing a manipulation results in cross site scripting. This vulnerability is reported as CVE-2015-8862. The attack is possible to be carried out remotely. Moreover, an exploit is present. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Terminology 0.7.0. This affects an unknown function of the component Escape Sequence Handler. Executing a manipulation can lead to command injection. This vulnerability appears as CVE-2015-8971. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

A vulnerability has been found in GNU Chess up to 6.2.3 and classified as problematic. This impacts the function ValidateMove of the file frontend/move.cc. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2015-8972. It is possible to initiate the attack remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in eShop Plugin 6.3.14 on WordPress and classified as problematic. Affected is an unknown function of the file eshop-orders.php. The manipulation of the argument page/action results in cross site scripting. This vulnerability is known as CVE-2016-0765. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in eShop Plugin 6.3.14 on WordPress. It has been classified as critical. Affected by this vulnerability is an unknown functionality of the file eshop-orders.php. This manipulation of the argument view/mark/change causes sql injection. This vulnerability is handled as CVE-2016-0769. The attack can be initiated remotely. There is not any exploit available.

A vulnerability was found in TrueCrypt up to 7.1a/7.2. It has been declared as problematic. Affected by this issue is some unknown functionality in the library USP10.dll of the component Installer. Such manipulation leads to untrusted search path (Path). This vulnerability is uniquely identified as CVE-2016-1281. Local access is required to approach this attack. No exploit exists. It is recommended to upgrade the affected component.

На Красносельском шоссе обнаружили подпольный узел связи для обзвонов.

2026年初，安全研究组织depthfirst通过其自动化代码审计系统对NGINX源代码进行深度扫描，识别出五个安全缺陷，其中四个已获得NGINX官方确认并分配CVE编号。这一发现揭示了NGINX核心组件中存在的严重内存损坏问题，攻击者可利用这些漏洞实现远程代码执行

吃蔬菜有益健康，但哄孩子吃蔬菜对父母们而言是一大难题。一项研究发现，新生儿父母可以未雨绸缪，在出生前就让他们熟悉蔬菜的气味，那么出生之后他们不会再排斥蔬菜。在实验中，研究人员让部分孕妇服用羽衣甘蓝粉（kale powder）胶囊，部分孕妇服用胡萝卜粉胶囊，然后观察胎儿或婴儿对羽衣甘蓝和胡萝卜的面部反应。对胎儿的观察是借助超声波，之后是出生后三周以及三岁。研究人员说，孕妇不愿意为了科学而服用大量羽衣甘蓝汁或胡萝卜汁，所以他们选择了胶囊。结果基本一致：接触过胡萝卜粉的孩子对胡萝卜不排斥，接触过羽衣甘蓝的也喜欢羽衣甘蓝。研究人员推测，孕晚期接触特定口味可能会给孩子留下持久的味觉或嗅觉记忆，有可能影响他们出生多年后的饮食偏好。研究人员表示这项研究规模较小，如果资金充足将展开更大规模的研究。

在上一篇文章 《罗福莉访谈之后：Vibe Coding → Vibe Working → Vibe Forking》https://mp.weixin.qq.com/s/D4bAcI3TN4b_cEhk-aftNQ 提到的另外一个“ah moment”其实就是指漏洞挖掘的模型分水岭出现了～ 今天看到两篇文章 介绍微软用他们的智能体 MDASH（multi-model agentic scanning harness），编排 100+ specialized AI agents，并称其在公开 CyberGym benchmark 上拿到 88.45% 并且在他们内部发现了多个tcpip.sys的RCE： https://www.geekwire.com/2026/microsofts-multi-agent-ai-system-tops-anthropics-mythos-on-cybersecurity-benchmark/ https://www.microsoft.com/en-us/security/blog/2026/05/12/defense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark/