Aggregator

A vulnerability has been found in Plainware ShiftController Employee Shift Scheduling Plugin up to 4.9.64 on WordPress and classified as problematic. The impacted element is an unknown function. Performing a manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2024-44040. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability has been found in Bit Form Plugin up to 2.13.11 on WordPress and classified as critical. This affects an unknown part. This manipulation causes sql injection. This vulnerability is tracked as CVE-2024-47335. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability was found in StylemixThemes uListing Plugin up to 2.1.5 on WordPress and classified as problematic. This vulnerability affects unknown code. Such manipulation leads to information disclosure. This vulnerability is listed as CVE-2024-47344. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in Zoho Flow Plugin up to 2.7.1 on WordPress and classified as critical. This issue affects some unknown processing. The manipulation results in sql injection. This vulnerability is reported as CVE-2024-47334. The attack can be launched remotely. No exploit exists.

A vulnerability classified as problematic has been found in smp7 Simple Membership After Login Redirection Plugin up to 1.6 on WordPress. This affects an unknown function. The manipulation leads to open redirect. This vulnerability is listed as CVE-2024-47354. The attack may be initiated remotely. There is no available exploit.

A vulnerability classified as critical was found in Eyecix JobSearch Plugin up to 2.5.9 on WordPress. This impacts an unknown function. The manipulation results in deserialization. This vulnerability is cataloged as CVE-2024-47636. The attack may be launched remotely. There is no exploit available.

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka   Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government RoadK1ll: A WebSocket Based Pivoting Implant    axios Compromised: npm Supply Chain Attack via Dependency Injection   […]

Фейковый Slack, дипфейк-звонок, троян под видом обновления Teams...

What happened New Progress ShareFile bugs could let attackers take over exposed on-premises servers without logging in by chaining an authentication bypass with remote code execution. The issues affect customer-managed ShareFile Storage Zones Controller 5.x deployments. The first flaw, CVE-2026-2699, is an authentication bypass on the Admin.aspx configuration page that can expose restricted admin functionality […]

The post New Progress ShareFile Bugs Let Attackers Take Over Servers Without Logging In appeared first on CISO Whisperer.

The post New Progress ShareFile Bugs Let Attackers Take Over Servers Without Logging In appeared first on Security Boulevard.

What happened Hackers are weaponizing the leaked Claude Code source to spread Vidar and GhostSocks malware through malicious repositories that impersonate the exposed codebase. The campaign followed Anthropic’s March 31 packaging error, which exposed the source code for Claude Code in a public npm package through a JavaScript source map file containing more than half […]

The post Hackers Spread Vidar and GhostSocks Malware Through Claude Code Leak appeared first on CISO Whisperer.

The post Hackers Spread Vidar and GhostSocks Malware Through Claude Code Leak appeared first on Security Boulevard.

Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]

Currently trending CVE - Hype Score: 1 - Apache Traffic Server allows request smuggling if chunked messages are malformed.  This issue affects Apache Traffic Server: from 9.0.0 through 9.2.12, from 10.0.0 through 10.1.1. Users are recommended to upgrade to version 9.2.13 or 10.1.2, which fix the issue.

Currently trending CVE - Hype Score: 1 - A bug in POST request handling causes a crash under a certain condition. This issue affects Apache Traffic Server: from 10.0.0 through 10.1.1, from 9.0.0 through 9.2.12. Users are recommended to upgrade to version 10.1.2 or 9.2.13, which fix the issue. A workaround for older ...

A vulnerability was found in imprvhub mcp-browser-agent up to 0.8.0. It has been rated as critical. This impacts the function CallToolRequestSchema of the file src/handlers.ts of the component URL Parameter Handler. The manipulation of the argument request.params.name/request.params.arguments leads to server-side request forgery. This vulnerability is uniquely identified as CVE-2026-5607. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in PHPGurukul Online Shopping Portal Project 2.1. The affected element is an unknown function of the file /order-details.php of the component Parameter Handler. The manipulation of the argument orderid results in sql injection. This vulnerability is known as CVE-2026-5606. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in Tenda CH22 1.0.0.1. It has been declared as critical. This affects the function formWrlExtraSet of the file /goform/WrlExtraSet. Executing a manipulation of the argument GO can lead to stack-based buffer overflow. This vulnerability is handled as CVE-2026-5605. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in Tenda CH22 1.0.0.1. It has been classified as critical. The impacted element is the function formCertLocalPrecreate of the file /goform/CertLocalPrecreate of the component Parameter Handler. Performing a manipulation of the argument standard results in stack-based buffer overflow. This vulnerability is known as CVE-2026-5604. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

Submit #785034 / VDB-355398

A vulnerability was found in elgentos magento2-dev-mcp up to 1.0.2 and classified as critical. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. This vulnerability is traded as CVE-2026-5603. An attack has to be approached locally. Furthermore, there is an exploit available. A patch should be applied to remediate this issue.

Submit #785052 / VDB-355397