APT73
You must login to view this content
Aggregator
Submit #802230: TencentCloudBase CloudBase-MCP 2.16.1 Server-Side Request Forgery [Accepted]
2 weeks 6 days ago
Submit #802230 / VDB-359821
BruceJin
ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants
2 weeks 6 days ago
A publicly accessible JavaScript file on ClickUp’s homepage has been silently leaking nearly a thousand corporate and government email addresses, including employees from Fortinet, Home Depot, Tenable, Mayo Clinic, and U.S. state government workers, through a hardcoded third-party API key that was first reported in January 2025 and remains unrotated as of April 2026. The […]
The post ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants appeared first on Cyber Security News.
Guru Baran
CVE-2026-7219 | Totolink N300RT 3.4.0-B20250430 /boafrm/formIpQoS entry_name buffer overflow
2 weeks 6 days ago
A vulnerability was found in Totolink N300RT 3.4.0-B20250430 and classified as critical. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entry_name can lead to buffer overflow.
This vulnerability appears as CVE-2026-7219. The attack may be performed from remote. In addition, an exploit is available.
vuldb.com
CVE-2026-7218 | Totolink N300RT 3.4.0-B20250430 libapmib.so /boafrm/formWsc is_cmd_string_valid localPin buffer overflow
2 weeks 6 days ago
A vulnerability has been found in Totolink N300RT 3.4.0-B20250430 and classified as critical. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so. Performing a manipulation of the argument localPin results in buffer overflow.
This vulnerability is reported as CVE-2026-7218. The attack is possible to be carried out remotely. Moreover, an exploit is present.
vuldb.com
Submit #802138: jackwrichards fastly-mcp-server 6f3d0b0e654fc51076badc7fa16c03c461f95620 Command Injection [Accepted]
2 weeks 6 days ago
Submit #802138 / VDB-359820
CPT_Penner
Unpatched 'PhantomRPC' Flaw in Windows Enables Privilege Escalation
2 weeks 6 days ago
A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services.
Elizabeth Montalbano
欧洲批准了 Moderna 的流感和 COVID-19 联合疫苗
2 weeks 6 days ago
欧洲批准了 Moderna 研发的基于 mRNA 技术的流感和 COVID-19 联合疫苗。被称为 mRNA-1083 或 mCOMBRIAX 的疫苗成为全球首个获得批准的针对这两种呼吸道病毒的联合疫苗。疫苗获批是基于一项 4000 名成年人参与的 III 期临床试验结果。试验分为两组,一组为 50-64 岁的受试者,与标准流感疫苗进行比较;另一组为 65 岁及以上的受试者,与高剂量流感疫苗进行比较。两组受试者中,相对于对照组 mCOMBRIAX 疫苗都能诱导对常见流感病毒株(A/H1N1、A/H3N2 和 B/Victoria)以及 SARS-CoV-2 病毒产生统计上显著更高的免疫反应。试验未发现安全性或不良反应方面的问题。
CVE-2026-7217 | Deepractice PromptX up to 2.4.0 Document File index.ts path absolute path traversal (Issue 571)
2 weeks 6 days ago
A vulnerability, which was classified as critical, was found in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of the argument path leads to absolute path traversal.
This vulnerability is documented as CVE-2026-7217. The attack can be executed remotely. Additionally, an exploit exists.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
Submit #808194: TOTOLINK N300RT Router V3.4.0-B20250430 Buffer Overflow [Accepted]
2 weeks 6 days ago
Submit #808194 / VDB-359819
xyhackr
Submit #802127: Totolink N300RT Router V3.4.0-B20250430 Buffer Overflow [Accepted]
2 weeks 6 days ago
Submit #802127 / VDB-359818
xyhackr
Inside the Protocol: Master Kerberos Defense and Detection with Kerlab’s Rust Toolkit
2 weeks 6 days ago
Kerlab A Rust implementation of Kerberos for FUn and Detection Kerlab was developed just to drill down kerberos protocol and
The post Inside the Protocol: Master Kerberos Defense and Detection with Kerlab’s Rust Toolkit appeared first on Penetration Testing Tools.
ddos
Disinformation campaign targeted Tibetan parliament-in-exile elections
2 weeks 6 days ago
The operation, identified by the Digital Forensic Research Lab (DFRLab), was part of Spamouflage, a long-running influence network linked to Beijing.
CVE-2026-7216 | donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd create_sketch Tool processing_server.py sketch_name path traversal
2 weeks 6 days ago
A vulnerability, which was classified as critical, has been found in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal.
This vulnerability is registered as CVE-2026-7216. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
Submit #802120: Deepractice PromptX 2.4.0 Improper Authorization [Accepted]
2 weeks 6 days ago
Submit #802120 / VDB-359817
BruceJin
CVE-2026-7215 | egtai gmx-vmd-mcp up to 0.1.0 VMD Launch mcp_server.py launch_vmd_gui_tool structure_file/trajectory_file command injection
2 weeks 6 days ago
A vulnerability classified as critical was found in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection.
This vulnerability is cataloged as CVE-2026-7215. The attack may be launched remotely. Furthermore, there is an exploit available.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
Submit #802090: donchelo processing-claude-mcp-bridge e017b20a4b592a45531a6392f494007f04e661bd Path Traversal [Accepted]
2 weeks 6 days ago
Submit #802090 / VDB-359816
CPT_Penner
Submit #802087: egtai gmx-vmd-mcp 0.1.0 Command Injection [Accepted]
2 weeks 6 days ago
Submit #802087 / VDB-359815
SmallW
Under Active Fire: CISA Warns of New Exploits in Samsung, SimpleHelp, and D-Link Hardware
2 weeks 6 days ago
The United States Cybersecurity and Infrastructure Security Agency (CISA) has once again augmented its repository of vulnerabilities identified
The post Under Active Fire: CISA Warns of New Exploits in Samsung, SimpleHelp, and D-Link Hardware appeared first on Penetration Testing Tools.
ddos
PyPI package with 1.1M monthly downloads hacked to push infostealer
2 weeks 6 days ago
An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. [...]
Bill Toulas