Aggregator

A vulnerability, which was classified as problematic, was found in U-SPEED N300 1.0.0. This issue affects some unknown processing of the file /api/login of the component Router Management Interface. Such manipulation leads to improper restriction of excessive authentication attempts. This vulnerability is referenced as CVE-2026-36959. It is possible to launch the attack remotely. No exploit is available.

A vulnerability, which was classified as problematic, has been found in Keycloak. This vulnerability affects the function checkAccountApiEnabled of the file /account/v1alpha1 of the component Account REST API. This manipulation causes direct request. The identification of this vulnerability is CVE-2026-7500. It is possible to initiate the attack remotely. There is no exploit available.

Submit #803996 / VDB-360324

A vulnerability classified as problematic was found in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router 1.0.0. This affects an unknown part of the component URI Handler. The manipulation results in denial of service. This vulnerability was named CVE-2026-36957. The attack may be performed from remote. There is no available exploit.

Submit #803995 / VDB-360323

A vulnerability classified as problematic has been found in U-SPEED N300 1.0.0. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2026-36958. The attack is possible to be carried out remotely. No exploit exists.

The April 2026 KB5083769 security update breaks third-party backup applications from multiple vendors on systems running Windows 11 24H2 and 25H2. [...]

A vulnerability described as critical has been identified in OWAP DefectDojo up to 2.55.4. Affected by this vulnerability is an unknown functionality of the component Benchmark/Engagement/Product/Survey. Executing a manipulation can lead to authorization bypass. This vulnerability is handled as CVE-2026-7510. The attack can be executed remotely. Additionally, an exploit exists. Upgrading the affected component is recommended.

Submit #803751 / VDB-360317

The widely used PyTorch Lightning framework, which automatically executes credential-stealing malware on import, has also compromised GitHub maintainer accounts. The popular PyPI package lightning — the deep learning framework used to train, deploy, and ship AI products has been compromised in an active supply chain attack. Socket’s Research Team flagged versions 2.6.2 and 2.6.3 as […]

The post Popular Python Package lightning Hacked in Supply Chain Attack appeared first on Cyber Security News.

2026 年 4 月，一位名为 Lina 的安全研究员在个人博客上分享了一段令人啼笑皆非的经历。

A vulnerability marked as critical has been reported in Bootstrap CMS 0.9.0-alpha. Affected is an unknown function of the file resources/views/pages/show.blade.php of the component Page Creation Handler. Performing a manipulation of the argument body results in code injection. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is known as CVE-2026-7508. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The code repository of the project has not been active for many years.

8,1 балла опасности: в ProFTPD нашли дыру, доступную без учётной записи.

In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics.

The post Email threat landscape: Q1 2026 trends and insights appeared first on Microsoft Security Blog.

CrowdStrike says The Com-affiliated threat groups are using voice phishing and fake SSO pages to break into SaaS environments and steal data fast for extortion.

The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.

In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics.

The post Email threat landscape: Q1 2026 trends and insights appeared first on Microsoft Security Blog.

Deep#Door Python RAT uses tunneling and obfuscation to evade detection and steal credentials

Submit #803531 / VDB-360316

A vulnerability labeled as critical has been found in SourceCodester Hotel Management System 1.0. This impacts an unknown function of the file /index.php/reservation/check. Such manipulation of the argument room_type leads to sql injection. This vulnerability is traded as CVE-2026-7506. The attack may be launched remotely. Furthermore, there is an exploit available.