Aggregator

Submit #802230 / VDB-359821

A publicly accessible JavaScript file on ClickUp’s homepage has been silently leaking nearly a thousand corporate and government email addresses, including employees from Fortinet, Home Depot, Tenable, Mayo Clinic, and U.S. state government workers, through a hardcoded third-party API key that was first reported in January 2025 and remains unrotated as of April 2026. The […]

The post ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants appeared first on Cyber Security News.

A vulnerability was found in Totolink N300RT 3.4.0-B20250430 and classified as critical. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entry_name can lead to buffer overflow. This vulnerability appears as CVE-2026-7219. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability has been found in Totolink N300RT 3.4.0-B20250430 and classified as critical. The impacted element is the function is_cmd_string_valid of the file /boafrm/formWsc of the component libapmib.so. Performing a manipulation of the argument localPin results in buffer overflow. This vulnerability is reported as CVE-2026-7218. The attack is possible to be carried out remotely. Moreover, an exploit is present.

Submit #802138 / VDB-359820

A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services.

欧洲批准了 Moderna 研发的基于 mRNA 技术的流感和 COVID-19 联合疫苗。被称为 mRNA-1083 或 mCOMBRIAX 的疫苗成为全球首个获得批准的针对这两种呼吸道病毒的联合疫苗。疫苗获批是基于一项 4000 名成年人参与的 III 期临床试验结果。试验分为两组，一组为 50-64 岁的受试者，与标准流感疫苗进行比较；另一组为 65 岁及以上的受试者，与高剂量流感疫苗进行比较。两组受试者中，相对于对照组 mCOMBRIAX 疫苗都能诱导对常见流感病毒株（A/H1N1、A/H3N2 和 B/Victoria）以及 SARS-CoV-2 病毒产生统计上显著更高的免疫反应。试验未发现安全性或不良反应方面的问题。

A vulnerability, which was classified as critical, was found in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of the argument path leads to absolute path traversal. This vulnerability is documented as CVE-2026-7217. The attack can be executed remotely. Additionally, an exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

Submit #808194 / VDB-359819

Submit #802127 / VDB-359818

Kerlab A Rust implementation of Kerberos for FUn and Detection Kerlab was developed just to drill down kerberos protocol and

The post Inside the Protocol: Master Kerberos Defense and Detection with Kerlab’s Rust Toolkit appeared first on Penetration Testing Tools.

The operation, identified by the Digital Forensic Research Lab (DFRLab), was part of Spamouflage, a long-running influence network linked to Beijing.

A vulnerability, which was classified as critical, has been found in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. This vulnerability is registered as CVE-2026-7216. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802120 / VDB-359817

A vulnerability classified as critical was found in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. This vulnerability is cataloged as CVE-2026-7215. The attack may be launched remotely. Furthermore, there is an exploit available. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802090 / VDB-359816

Submit #802087 / VDB-359815

The United States Cybersecurity and Infrastructure Security Agency (CISA) has once again augmented its repository of vulnerabilities identified

The post Under Active Fire: CISA Warns of New Exploits in Samsung, SimpleHelp, and D-Link Hardware appeared first on Penetration Testing Tools.

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. [...]

2026 年 4 月 22 日，网络安全研究人员发现了一个影响所有基于 Firefox 内核浏览器的严重隐私漏