Aggregator

Submit #745509 / VDB-344642

A vulnerability, which was classified as critical, was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. This vulnerability is known as CVE-2026-2075. It is possible to launch the attack remotely. Furthermore, an exploit is available. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability, which was classified as problematic, has been found in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. This vulnerability is traded as CVE-2026-2074. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #745508 / VDB-344641

A vulnerability classified as critical was found in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. This vulnerability appears as CVE-2026-2073. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability classified as critical has been found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. This vulnerability is reported as CVE-2026-2071. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as critical has been identified in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to buffer overflow. This vulnerability is documented as CVE-2026-2070. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #745486 / VDB-344640

A vulnerability marked as critical has been reported in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer overflow. This vulnerability is registered as CVE-2026-2069. The attack needs to be launched locally. Furthermore, an exploit is available. To fix this issue, it is recommended to deploy a patch.

Submit #745482 / VDB-344639

Valentine’s Day is just around the corner and Microsoft has been giving us a lot of love with a non-stop supply of patches starting with January 2026 Patch Tuesday. The January releases addressed 92 vulnerabilities in Windows 11 and Server2025, as well as 79 vulnerabilities for Windows 10 and its associated servers. We also saw updates for legacy 2016 versions of Microsoft Office and even a SQL Server update. But these patches came with some … More →

The post February 2026 Patch Tuesday forecast: Lots of OOB love this month appeared first on Help Net Security.

Submit #745265 / VDB-344638

Submit #745264 / VDB-344637

Submit #745263 / VDB-344636

Kasada released Account Intelligence, a new product designed to detect account-level fraud and abuse. The goal is to prevent repeat abuse before it creates financial loss and unnecessary friction for customers. Enterprises are facing account and business-logic abuse that existing bot and fraud tools were never built to detect. In a single session, this human-driven activity often looks legitimate. Risk only becomes clear later, after damage has already occurred. “Teams already know what this kind … More →

The post Kasada Account Intelligence combats manual fraud and abuse appeared first on Help Net Security.

By 2026 humans remain cybersecurity’s weakest—and most vital—link as AI-enabled social engineering rises; prioritize behavioral design, real‑time interventions, and leadership.

The post The Human Layer of Security: Why People are Still the Weakest Link in 2026  appeared first on Security Boulevard.

Cybersecurity threats are constantly evolving, and a recent campaign highlights a deceptive new tactic where attackers leverage Windows screensaver (.scr) files to compromise systems. This method allows threat actors to deploy legitimate Remote Monitoring and Management (RMM) tools, granting them persistent remote access while effectively bypassing standard security controls. By utilizing trusted software and cloud […]

The post Hackers Leveraging Windows Screensaver to Deploy RMM Tools and Gain Remote Access to Systems appeared first on Cyber Security News.

作者：JIAQI GAO, ZIJIAN ZHANG, YUQIANG SUN, YE LIU等 译者：知道创宇404实验室翻译组 原文链接：https://arxiv.org/html/2602.03271v1 摘要 业务逻辑漏洞已成为智能合约中最具破坏性但最难以理解的漏洞类型之一。与重入攻击或算术错误等传统漏洞不同，这类漏洞源于缺失或错误执行的业务不变式，且与协议语义紧密耦合。现有静态分...

Start PQC pilots now—not to prove readiness but to surface interoperability, vendor, inventory, and skills gaps so organizations can manage post-quantum migration risks.

The post Your PQC Pilot Might Fail, and That’s Okay  appeared first on Security Boulevard.

第 15 届联合国生物多样性大会（COP15）设定了到 2030 年时将农药使用量和相关风险减半的目标，鼓励使用有机农药和低毒性农药。但根据发表在《科学》期刊上的最新研究，农药总体毒性仍然呈上升趋势，如无改变 2030 年目标可能难以实现。研究结果显示，全球农药所造成的生态总体毒性正在上升；这一增长趋势在多个国家、多种作物及各类物种群体中均有显现。总体而言，总施用毒性主要由少数剧毒化学品主导，其中果蔬、玉米、大豆、谷物和稻米所用农药毒性占了全球农药毒性的 76-83%。中国、巴西、美国和印度合计贡献了全球总施用毒性的 53-68%。