Aggregator

A vulnerability has been found in OSC ondemand up to 4.0.8 and classified as critical. Affected by this vulnerability is the function custom_location_directives of the file ood_portal.yml. Performing manipulation results in insufficiently protected credentials. This vulnerability is known as CVE-2025-66029. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability identified as problematic has been detected in storybookjs storybook up to 7.6.20/8.6.14/9.1.16/10.1.9. The affected element is an unknown function of the component Environment Variable Handler. Performing manipulation results in information disclosure. This vulnerability is identified as CVE-2025-68429. The attack is only possible with local access. There is not any exploit available. You should upgrade the affected component.

A vulnerability was found in ZZCMS 2025. It has been classified as problematic. Affected by this vulnerability is an unknown functionality of the file /reg/user_save.php of the component User Data Storage Module. This manipulation causes cleartext storage in a file or on disk. This vulnerability is registered as CVE-2025-14836. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in ZZCMS 2025. It has been declared as critical. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. This vulnerability is documented as CVE-2025-14837. The attack can be executed remotely. Additionally, an exploit exists.

好的，我现在需要帮助用户总结一篇文章的内容，控制在100字以内。首先，我得仔细阅读用户提供的文章内容。看起来文章主要讲的是当前环境异常，需要完成验证才能继续访问。里面有一个“去验证”的链接，可能引导用户进行验证步骤。 接下来，我要理解用户的需求。他们希望用中文总结文章内容，不需要特定的开头，直接描述即可。所以，我需要确保总结准确且简洁。 然后，我会分析文章的关键点：环境异常、验证、继续访问。这些是主要内容，需要在总结中体现出来。同时，保持语言流畅自然，避免使用过于正式或复杂的词汇。 最后，我会将这些要点整合成一个简短的句子，确保不超过100字，并且直接表达文章的核心信息。 当前环境出现异常状态,需完成验证后方可继续访问。

Dec 17, 2025 - Lina Romero - The OWASP Top 10 for LLMs was released this year to help security teams understand and mitigate the rising risks to LLMs. In previous blogs, we’ve explored risks 1-9, and today we’ll finally be deep diving LLM10: Unbounded Consumption. Unbounded Consumption occurs when LLMs allow users to conduct excessive prompt submissions, or submission of overly complex, large or verbose prompts, leading to resource depletion, potential Denial of Service (DoS) attacks, and more. An inference is the process that an AI model uses to generate an output based on its training. When a user feeds an LLM a prompt, the LLM generates inferences in response. Follow-up questions trigger more inferences, because each additional interaction builds upon all the inferences, and potentially also previously submitted prompts, required for the previous interactions. Rate limiting controls the amount of requests an LLM can receive. When an LLM does not have the adequate rate limiting, it can effectively become overwhelmed with inferences and either begin to malfunction, or reach a cap on utilization and stop responding. A part of the LLM application could become unavailable. In AI security, we often refer to the “CIA,” which stands for Confidentiality, Integrity and Availability. Unbounded Consumption can cause an LLM to fail at the “Availability” part of this equation, which in turn can affect the LLM’s Confidentiality and Integrity. Another way in which Unbounded Consumption can negatively impact an LLM is through Denial of Wallet (DOW). Effectively, attackers will hit the LLM with request upon request, which can run up the bill if rate limiting is not in place. Eventually, these attacks can cause the LLM to reject requests due to the high volume of abnormal activity, which will stop it from working entirely.
Mitigation Methods
Some ways to reduce the risk of Unbounded Consumption include: Input Validation- ensure that inputs do not exceed reasonable size limits
Rate Limiting- apply user quotas and limits to restrict requests per user
Limit Exposure of Logits and Logprobs- obfuscate the exposure of API responses, provide only necessary information to users
Resource Allocation Management- monitor resource utilization to prevent any single user from exceeding a reasonable limit
Timeouts and Throttling- set time limits and throttle processing for resource intense operations to prevent prolonged resource consumption
Sandbox Techniques- restrict the LLMs access to network resources to limit what information it can expose
Monitoring and Logging- get alerts and continually monitor usage for unusual patterns Unbounded Consumption poses a critical risk to LLMs as it can cause DoS or DoW, however, with proper security measures and training, teams can minimize the risk of Unbounded Consumption in their AI applications. For more information on the rest of the OWASP Top 10 for LLMs, head over to the LLM series on our blog page. And for general information on how to take charge of your own AI security posture, schedule a demo today!

The post LLM10: Unbounded Consumption – FireTail Blog appeared first on Security Boulevard.

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内，并且不需要特定的开头。首先，我得仔细阅读文章内容，抓住主要信息。 文章主要讲的是OWASP Top 10中的第10项，即LLM的无界消费风险。无界消费指的是用户提交过多或过于复杂的提示，导致资源耗尽和潜在的DoS攻击。文章还提到了缓解方法，比如输入验证、速率限制、资源管理等。 接下来，我需要将这些要点浓缩成一句话。要确保涵盖无界消费的定义、影响以及缓解措施。同时，保持语言简洁明了，不超过100字。 最后，检查一下是否符合用户的要求：中文总结，不使用特定开头，控制在100字以内。确保没有遗漏关键信息。 文章介绍了OWASP LLM Top 10中的第10项风险——无界消费（Unbounded Consumption），即LLM因处理过多或复杂提示导致资源耗尽、DoS攻击等问题，并提出了输入验证、速率限制等缓解方法。

英伟达因内存供应失衡计划从2026年初开始削减RTX50系列消费级显卡产能30%-40%，其中RTX 5060/5070 Ti 16GB版受影响较大，因显存价格与其售价不成比例。

Currently trending CVE - Hype Score: 14 - In specific circumstances, due to a weakness in the Pseudo Random Number Generator (PRNG) that is used, it is possible for an attacker to predict the source port and query ID that BIND will use. This issue affects BIND 9 versions 9.16.0 through 9.16.50, 9.18.0 through 9.18.39, ...

A vulnerability was found in Apple macOS up to 14.8.1/15.7.1. It has been classified as problematic. The impacted element is an unknown function of the component App. This manipulation causes information disclosure. This vulnerability appears as CVE-2025-43335. The attack requires local access. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability was found in Apple macOS up to 14.8.1/15.7.1. It has been declared as critical. This affects an unknown function of the component App. Such manipulation leads to improper access controls. This vulnerability is traded as CVE-2025-43348. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

嗯，用户让我帮忙总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头，直接写描述。好的，我先看看这篇文章主要讲了什么。 文章里提到了几个主要的新闻点。首先是小米发布了MiMo-V2-Flash模型，参数量很大，专注于智能体AI，性能也很强。然后是Adobe更新了Firefly的视频编辑功能，增加了文本指令编辑和一些第三方模型。接着是百度脑图宣布将在2026年停止服务。徕卡和飞思合作适配联机工作流，还有Let's Encrypt推出了新的证书层级。最后是国际足联和Netflix合作推出新游戏。 我需要把这些信息浓缩到100字以内。首先确定每个新闻的关键点：小米的模型、Adobe的功能更新、百度脑图停服、徕卡的合作、证书更新和FIFA游戏。然后用简洁的语言把这些连起来。 可能会遇到的问题是如何在有限的字数内涵盖所有要点而不遗漏重要信息。可能需要简化一些描述，比如“MiMo-V2-Flash模型”可以简称为“MiMo-V2-Flash”，或者直接提到小米发布的新模型。 另外，要注意句子的连贯性和逻辑性，让读者一目了然地看到每个新闻的主要内容。可能需要调整句子结构，确保每个要点都清晰明了。 最后检查一下字数是否符合要求，确保不超过100字，并且没有使用禁止的开头方式。 小米发布309B参数的MiMo-V2-Flash开源AI模型，专为智能体设计；Adobe Firefly新增文本指令视频编辑器及第三方生成模型；百度脑图将于2026年3月停服；徕卡与飞思合作适配Capture One联机工作流；Let's Encrypt推出Y世代证书层级；国际足联与Netflix联合开发新FIFA游戏。

亚马逊Kindle存在安全漏洞，可能被黑掉的有声读物攻击账户和信用卡。爱尔兰健康服务遭遇勒索软件攻击后向受害者索要750欧元。播客最后一期推荐《When Harry Met Sally》和《Tomb Raider》重制版。

Ruijie Networksが提供するRG - AP180、屋内壁面設置型ワイヤレスAP AP180シリーズには、OSコマンドインジェクションの脆弱性が存在します。

Explore homomorphic encryption for privacy-preserving analytics in Model Context Protocol (MCP) deployments, addressing post-quantum security challenges. Learn how to secure your AI infrastructure with Gopher Security.

The post Homomorphic Encryption for Privacy-Preserving MCP Analytics in a Post-Quantum World appeared first on Security Boulevard.

嗯，用户让我总结一篇文章的内容，控制在100字以内，而且不需要特定的开头。首先，我需要通读整篇文章，抓住主要观点。 文章主要讲的是隐私在MCP分析中的重要性，特别是使用同态加密来保护数据。它介绍了同态加密的不同类型，比如部分、某种程度和完全同态加密，并讨论了它们的优缺点。还提到了实际应用案例，比如医疗和金融领域，以及未来的发展方向，包括抗量子加密。 接下来，我需要将这些要点浓缩到100字以内。要确保涵盖隐私的重要性、同态加密的作用、不同类型的HE、实际应用和未来趋势。 可能会遇到的问题是如何简洁地表达这些复杂的概念而不遗漏关键点。需要选择最核心的信息，避免细节过多。 最后，检查字数是否符合要求，并确保语言流畅自然。 文章探讨了隐私在人工智能模型共享中的重要性，并介绍了同态加密（HE）技术如何保护数据安全。通过部分、某种程度和完全同态加密的不同方案，HE允许在加密数据上进行计算，从而实现隐私保护。文章还讨论了其在医疗、金融等领域的实际应用，并展望了抗量子加密的未来发展。

France confirms a cyberattack on its Interior Ministry as a 22-year-old is arrested. Hacker claims access to police, tax, and criminal record systems.