Aggregator

A vulnerability was found in Hisense TransTech Smart Bus Management System up to 20260113. It has been declared as critical. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. This vulnerability is registered as CVE-2026-1449. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Shaarli up to 0.15.x. It has been rated as problematic. This impacts an unknown function of the component Tag Handler. The manipulation leads to cross site scripting. This vulnerability is listed as CVE-2026-24476. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

A vulnerability was found in MobSF Mobile-Security-Framework-MobSF up to 4.4.4. It has been rated as problematic. Affected by this issue is some unknown functionality of the component APK Handler. This manipulation causes cross site scripting. This vulnerability is tracked as CVE-2026-24490. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability categorized as critical has been discovered in Link Invoice Payment for WooCommerce Plugin up to 2.8.0 on WordPress. This affects an unknown part. Such manipulation leads to missing authorization. This vulnerability is listed as CVE-2025-14971. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in root-project root up to 6.36.00-rc1. It has been classified as critical. This affects an unknown function of the component zlib. The manipulation leads to improper input validation. This vulnerability is uniquely identified as CVE-2026-24811. The attack is possible to be carried out remotely. No exploit exists. It is suggested to install a patch to address this issue.

A vulnerability was found in code-projects Online Examination System 1.0 and classified as problematic. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. This vulnerability is documented as CVE-2026-1421. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in code-projects Online Examination System 1.0. It has been classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. This vulnerability is reported as CVE-2026-1422. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability was found in code-projects Online Examination System 1.0. It has been declared as critical. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. This vulnerability appears as CVE-2026-1423. The attack may be performed from remote. In addition, an exploit is available.

Veracode announced significant platform innovations introduced through the second half of 2025. Headlining the release is Package Firewall, a preventive control for software supply chains, advancing the company’s mission to help organizations run secure software from code to cloud. With supply chain-related third-party breaches doubling year over year— from 15 to 30 percent according to the Verizon 2025 Data Breach Investigations Report— the need to strengthen security across the software ecosystem has never been greater. … More →

The post Veracode’s platform enhancements help prevent software supply chain attacks appeared first on Help Net Security.

从冰蝎架构误配、web.config覆盖到LSASS dump致认证瘫痪，剖析三次实战崩溃根源及防御绕过教训。

SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software. [...]

漏洞简介MCPJam 检查器是本地优先的 MCP 服务器开发平台。1.4.2及更早版本存在远程代码执行（RCE）漏洞，攻击者可以通过发送精心设计的HTTP请求，触发MCP服务器的安装，从而导致RCE。由于MCPJam检查器默认监听的是0.0.0.0而非127.0.0.1，攻击者可以通过简单的HTTP请求远程触发RCE。1.4.3版本包含补丁。漏洞影响版本：<= 1.4.2漏洞分析前端构造攻击

攻击者不需要破解模型、不需要对抗训练，只需要找到上下文污染的入口，就能让Agent自己执行攻击。

A critical privilege-escalation vulnerability has been discovered in Check Point’s Harmony SASE (Secure Access Service Edge) Windows client software, affecting versions prior to 12.2. Tracked as CVE-2025-9142, the flaw allows local attackers to write or delete files outside the intended certificate working directory, potentially leading to system-level compromise. The vulnerability exists within the Service component of Perimeter81 […]

The post Check Point Harmony SASE Windows Client Vulnerability Enables Privilege Escalation appeared first on Cyber Security News.

漏洞简介ChatterMate 是一个无代码的 AI 聊天机器人代理框架。在1.0.8及以下版本中，聊天机器人在提供恶意HTML/JavaScript负载时接受并执行漏洞影响版本：< 1.0.9评分：9.3​漏洞分析用户输入防线一app/api/widget_chat.py获取用户原始输入，且未净化，导致该防线失守防线二接收用户输入调用ai进行解析，不进行净化就解析然后通过ChatAgent

A vulnerability identified as problematic has been detected in OISF Suricata up to 7.0.13/8.0.2. Affected by this vulnerability is an unknown functionality of the component DNP3 Parser. The manipulation leads to resource consumption. This vulnerability is traded as CVE-2026-22259. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability labeled as problematic has been found in OISF Suricata up to 7.0.13/8.0.2. Affected by this issue is some unknown functionality of the component XFF Support. The manipulation results in excessive platform resource consumption within a loop. This vulnerability is known as CVE-2026-22261. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

A vulnerability, which was classified as problematic, was found in bytecodealliance wasmtime up to 36.0.4/40.0.2/41.0.0 on x86-64. The impacted element is an unknown function. The manipulation results in out-of-bounds read. This vulnerability is identified as CVE-2026-24116. The attack is only possible with local access. There is not any exploit available. You should upgrade the affected component.

本文记录了在攻防项目中对一套php代码进行审计，最后利用thinkphp报错，实现前台任意文件上传

随着 AI 从单一的 Chatbot 进化为拥有工具调用权限的 Autonomous Agents（自主智能体），安全边界已彻底瓦解。 本文不再局限于简单的 Prompt Injection，而是深入剖析了 GCG 自动化对抗、AI-CSRF 跨插件攻击、RAG 逻辑炸弹 等前沿威胁，并提供了基于 Zero-Trust AI 的防御架构设计与 DevSecOps 落地代码。