Aggregator

该漏洞允许攻击者通过 REST API 提供了一个 /v1/tools/run端点，利用任意 payload 在目标服务器上执行任意 Python 代码或系统命令。

The Fourth Amendment was written for a world of desks, drawers, and locked trunks. The modern invest

一种全新的AI Agent攻击方式（或许也不那么新）

类属性污染实现全局权限提升、__globals__ 劫持覆盖 Flask SECRET_KEY 实现会话伪造、以及全局变量篡改实现 RCE。

通过构造恶意的中转站来劫持 opencode，claudecode，openclaw 从而实现命令执行，乃至于上线 c2

WEBbabydc网络 桥接靶机：10.190.20.23Workgroup/Domain Name: XMCVEHostnames: CASTLEVANIADomain Controllers: XMCVEActive Directory（活动目录）的 Windows 域环境内网1 台 DC 域控（核心，存所有账号、哈希、权限）多台 成员服务器（Web、邮件、数据库等）一堆 Win10/Win1

第二届sillyctf，感觉是非常的有趣啊（虽然没有学到太多东西）

New StorybySwapneswar Sundar RaybySwapneswar Sundar Ray@swapneswarsundarrayBuilding AI-driven enter

2026 CISCN&长城杯半决赛 AWDP-PWN 题解

io_uring是Linux 5.1引入的高性能异步I/O框架，通过共享内存环形缓冲区实现用户态与内核态的零拷贝通信。

Every organization that operates in a digital space needs to prioritize cybersecurity, but some

Combined Platform Spans Dependencies, Extensions, Developer Tools
Socket’s acquisition of Secure Annex extends software supply-chain security beyond open-source dependencies into browser and IDE extensions, addressing AI-driven development risks and fragmented visibility across modern developer workflows.

Bipartisan Deal Funds DHS Components After Record 75-Day Shutdown
The House passed a bipartisan bill funding the Department of Homeland Security, ending a 75-day shutdown that forced the Cybersecurity and Infrastructure Security Agency into a reactive posture and disrupted preventive cyber operations, even as workforce losses and proposed cuts threaten long-term resilience.

Tightening Budgets and AI-Enabled Attacks Stretch State Cyber Defenses
State CISO confidence has collapsed, with just 22% saying their data is protected from cyberthreats. The 2026 NASCIO-Deloitte study points to AI-enabled attacks, third-party vendor risk and the worst budget picture in years as states rethink how they defend public data.

Also, HexDex Arrest, Black Axe Crackdown, LeRobot RCE Flaw
This week, election threats resurfaced. A prolific hacker arrested. Black Axe network disrupted. China-linked disinformation targets Tibet. Exploited ScreenConnect and Windows flaws raise alarms. Minecraft gamers hit with stealer malware. A critical AI framework bug enables remote code execution.

☕️ TL;DR近期佳作推荐：[电影] 燃比娃、[电影] 世界的主人、[韩剧] 努力克服自卑的我们、[韩剧] 稻草人、[日剧] 月夜行路：答案在名作中、[英剧] 半个男人、[美剧] 逆转狂篮 第二季、

Langflow作为一款广泛使用的AI低代码开发平台，在≤1.8.4版本中存在高危路径穿越与任意文件写入漏洞（CVE-2026-5027）。该漏洞源于平台POST /api/v2/files文件上传接口对filename参数缺乏有效安全校验，攻击者可通过构造包含../等路径穿越序列的恶意文件名，突破系统预设的上传目录限制，实现对服务器任意路径的文件写入操作。漏洞利用条件宽松，需低权限用户登录即可远

AI洪流下的防守对抗新范式