Aggregator

A vulnerability classified as problematic was found in OpenClaw up to 2026.1.30. This affects an unknown part of the component Bearer Token Handler. Executing a manipulation can lead to insertion of sensitive information into sent data. The identification of this vulnerability is CVE-2026-28481. The attack may be launched remotely. There is no exploit available. Applying a patch is advised to resolve this issue.

A vulnerability, which was classified as critical, was found in OpenClaw up to 2026.2.11. This issue affects some unknown processing of the file /agent/act. The manipulation results in missing authentication. This vulnerability is identified as CVE-2026-28485. The attack is only possible with local access. There is not any exploit available. You should upgrade the affected component.

A vulnerability was found in OpenClaw up to 2026.2.13. It has been rated as critical. This impacts an unknown function. The manipulation leads to authentication bypass by spoofing. This vulnerability is documented as CVE-2026-28480. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability categorized as problematic has been discovered in OpenClaw up to 2026.2.14. Affected is an unknown function of the component Configuration Handler. The manipulation results in risky cryptographic algorithm. This vulnerability is reported as CVE-2026-28479. The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability described as critical has been identified in OpenClaw up to 2026.2.1. This vulnerability affects unknown code. Executing a manipulation can lead to argument injection. This vulnerability is handled as CVE-2026-28470. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in OpenClaw up to 2026.2.11. The affected element is an unknown function. This manipulation of the argument sessionId causes path traversal. The identification of this vulnerability is CVE-2026-28482. The attack can only be executed locally. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as critical, was found in OpenClaw up to 2026.2.5. The impacted element is an unknown function of the component nextcloud-talk. Such manipulation leads to incorrect authorization. This vulnerability is referenced as CVE-2026-28474. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

A vulnerability was found in OpenClaw up to 2026.2.13. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation results in server-side request forgery. This vulnerability is cataloged as CVE-2026-28476. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability categorized as problematic has been discovered in OpenClaw up to 2026.2.13. This affects an unknown part of the component OAuth Call Handler. Such manipulation leads to cross-site request forgery. This vulnerability is documented as CVE-2026-28477. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability identified as critical has been detected in OpenClaw up to 2026.2.1. This vulnerability affects unknown code of the component Matrix Plugin. Performing a manipulation results in improper authentication. This vulnerability is reported as CVE-2026-28471. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability identified as critical has been detected in OpenClaw up to 2026.2.13. Affected by this vulnerability is an unknown functionality of the component Publicly Reachable Webhook Endpoint. This manipulation causes missing authentication. This vulnerability appears as CVE-2026-29606. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

The Cybersecurity and Infrastructure Security Agency (CISA) gave all federal civilian agencies until Thursday to patch CVE-2025-26399 — a critical vulnerability impacting the popular SolarWinds Web Help Desk.

A vulnerability described as critical has been identified in Schneider Electric EcoStruxure Power Monitoring Expert and EcoStruxure Power Operation Advanced Reporting and Dashboards Module 2022/2023/2024. This affects an unknown part. The manipulation results in deserialization. This vulnerability is identified as CVE-2025-11739. The attack is only possible with local access. There is not any exploit available. It is advisable to implement a patch to correct this issue.

A vulnerability marked as critical has been reported in Vaadin Flow up to 14.14.0/23.6.6/24.9.8/25.0.2. Affected by this issue is some unknown functionality of the file Node.js of the component ZIP Handler. The manipulation leads to path traversal. This vulnerability is referenced as CVE-2026-2741. The attack can only be performed from a local environment. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in Vaadin Flow up to 14.14.0/23.6.6/24.9.7/25.0.1. Affected by this vulnerability is an unknown functionality of the file /vaadin of the component Endpoint. Executing a manipulation can lead to improper access controls. The identification of this vulnerability is CVE-2026-2742. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability identified as critical has been detected in Tubitak Bilgem Liderahenk up to 3.3.x. Affected is an unknown function. Performing a manipulation results in missing authentication. This vulnerability was named CVE-2026-2339. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in Schneider Electric EcoStruxure IT Data Center Expert. This impacts an unknown function of the component SOCKS Proxy. Such manipulation leads to hard-coded credentials. This vulnerability is uniquely identified as CVE-2025-13957. The attack can be launched remotely. No exploit exists. Applying a patch is advised to resolve this issue.

Даже ИИ в среде разработки не спас от профи из КНДР.

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内，并且直接写描述，不需要特定的开头。首先，我得通读整篇文章，抓住主要观点。 文章主要讨论了企业在采用大型语言模型（LLMs）时面临的数据隐私和安全问题。特别是敏感信息在模型训练或推理过程中被泄露的风险。文章提到“推理保护”（Inference protection）是一种预防措施，通过在数据进入模型前进行脱敏处理，防止敏感信息被模型学习或存储。 接下来，文章讨论了传统软件系统与LLMs在数据处理上的不同之处，指出一旦敏感数据被模型处理，就无法有效删除或控制。这给合规性和数据治理带来了挑战。作者强调了遵守GDPR、HIPAA等法规的重要性，并提出通过预防措施确保敏感数据不进入模型是解决这些问题的最佳方法。 文中还提到了Tonic Textual提供的解决方案，即在数据流程的早期进行自动化的脱敏处理，从而让企业能够安全地使用LLMs。这种方法不仅减少了合规风险，还简化了审计流程，并支持数据删除和访问控制等监管要求。 总结起来，文章的核心在于强调推理保护的重要性，并介绍了一种有效的解决方案来应对LLMs带来的隐私和合规挑战。因此，在总结时需要涵盖这些关键点：推理保护的概念、其重要性、带来的好处以及具体的解决方案。 最后，确保语言简洁明了，控制在100字以内，并且直接描述内容，不使用“这篇文章”之类的开头。 文章探讨了企业在采用大型语言模型（LLMs）时面临的数据隐私和安全挑战。通过“推理保护”技术，在敏感信息进入模型前进行脱敏处理，防止其被学习或存储。这种方法不仅降低了隐私风险和合规负担，还为负责任的AI应用奠定了基础。

An attack campaign targeting HR departments and job recruiters has been stealthily compromising systems, Aryaka researchers have discovered. By avoiding analysis environments and leveraging a specialized module designed to kill antivirus and endpoint detection software, the Russian-speaking attacker(s) behind this campaign have managed to keep their activity largely under the radar. “We currently lack telemetry to determine how widespread the campaign is,” Aditya K. Sood, Aryaka’s VP of Security Engineering & AI Strategy, told Help … More →

The post HR, recruiters targeted in year-long malware campaign appeared first on Help Net Security.