Aggregator

2026 年 4 月 22 日，网络安全研究人员发现了一个影响所有基于 Firefox 内核浏览器的严重隐私漏

An oversight within a security remediation has inadvertently carved a novel path for exploitation. While the developers successfully

The post The Zero-Click Ghost: How an Incomplete Patch Left Windows Open to Fancy Bear’s Credential Theft appeared first on Penetration Testing Tools.

A vulnerability classified as critical has been found in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function read_file/write_file/list_files/file_inf of the file src/server.py. The manipulation of the argument WORKSPACE_PATH leads to path traversal. This vulnerability is listed as CVE-2026-7214. The attack may be initiated remotely. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

DNS-фильтрация не требует установки приложений, но может ошибочно блокировать легальные сайты.

A Chinese national accused of being a member of a state-backed hacking group that allegedly broke into systems to steal COVID-19 vaccine information has been extradited to the U.S. from Milan.

Security researchers at Kaspersky Lab have identified a surreptitious methodology within Windows to obtain absolute systemic hegemony—a vulnerability

The post The “Unpatchable” Ghost: How PhantomRPC Turns Windows Architecture Against Itself for SYSTEM Control appeared first on Penetration Testing Tools.

A vulnerability described as problematic has been identified in aegra. This affects an unknown part of the file /store/items/search of the component Agent Protocol Server. Executing a manipulation can lead to denial of service. This vulnerability is tracked as CVE-2026-30350. The attack can be launched remotely. No exploit exists.

Google has fixed a critical security flaw in the Gemini CLI that could allow attackers to execute remote code in certain automated workflows. The issue affects the npm package @google/gemini-cli and the google-github-actions/run-gemini-cli GitHub Action, especially when they are used in headless environments such as CI/CD pipelines. According to the security advisory, the vulnerability comes from two related weaknesses: […]

The post Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks appeared first on Cyber Security News.

A vulnerability marked as problematic has been reported in elixir-plug plug_cowboy up to 2.8.0. Affected by this issue is some unknown functionality in the library lib/plug/cowboy/conn.ex. Performing a manipulation results in allocation of resources. This vulnerability is identified as CVE-2026-32688. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as problematic has been found in pip up to 26.0. Affected by this vulnerability is an unknown functionality of the component Self-update Check. Such manipulation leads to Local Privilege Escalation. This vulnerability is referenced as CVE-2026-6357. The attack can only be performed from a local environment. No exploit is available. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in SmarterTools SmarterMail up to 100.0.9609. Affected is an unknown function of the component Attachment Download Endpoint. This manipulation causes cryptographically weak prng. The identification of this vulnerability is CVE-2026-40514. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in ef10007 MLOps_MCP 1.0.0. This impacts an unknown function of the file fastmcp_server.py of the component save_file Tool. The manipulation of the argument filename/destination results in path traversal. This vulnerability was named CVE-2026-7213. The attack may be performed from remote. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

The Harvester threat collective has re-emerged, wielding a sophisticated instrument designed to elude conventional defensive parameters. Security researchers

The post Hidden in the Cloud: Harvester’s New Linux Malware Abuses Microsoft Graph API for Invisible Espionage appeared first on Penetration Testing Tools.

Submit #802086 / VDB-359814

A vulnerability was found in edvardlindelof notes-mcp up to 0.1.4. It has been rated as critical. This affects an unknown function of the file notes_mcp.py. The manipulation of the argument root_dir/path leads to path traversal. This vulnerability is uniquely identified as CVE-2026-7212. The attack is possible to be carried out remotely. Moreover, an exploit is present. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802085 / VDB-359809

A vulnerability was found in dvladimirov MCP up to 0.1.0. It has been declared as critical. The impacted element is the function GitSearchRequest of the file mcp_server.py of the component Git Search API. Executing a manipulation of the argument repo_url/pattern can lead to command injection. This vulnerability is handled as CVE-2026-7211. The attack can be executed remotely. Additionally, an exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802084 / VDB-359808

Submit #802083 / VDB-359807