Aggregator

A researcher discovered five different exploit paths that stem from an architectural weakness in how Windows' Remote Procedure Call (RPC) mechanism handles connections to unavailable services.

欧洲批准了 Moderna 研发的基于 mRNA 技术的流感和 COVID-19 联合疫苗。被称为 mRNA-1083 或 mCOMBRIAX 的疫苗成为全球首个获得批准的针对这两种呼吸道病毒的联合疫苗。疫苗获批是基于一项 4000 名成年人参与的 III 期临床试验结果。试验分为两组，一组为 50-64 岁的受试者，与标准流感疫苗进行比较；另一组为 65 岁及以上的受试者，与高剂量流感疫苗进行比较。两组受试者中，相对于对照组 mCOMBRIAX 疫苗都能诱导对常见流感病毒株（A/H1N1、A/H3N2 和 B/Victoria）以及 SARS-CoV-2 病毒产生统计上显著更高的免疫反应。试验未发现安全性或不良反应方面的问题。

A vulnerability, which was classified as critical, was found in Deepractice PromptX up to 2.4.0. The affected element is the function read_docx/read_xlsx/read_pptx/list_xlsx_sheets/read_pdf of the file packages/mcp-office/src/index.ts of the component Document File Handler. Such manipulation of the argument path leads to absolute path traversal. This vulnerability is documented as CVE-2026-7217. The attack can be executed remotely. Additionally, an exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

Submit #808194 / VDB-359819

Submit #802127 / VDB-359818

Kerlab A Rust implementation of Kerberos for FUn and Detection Kerlab was developed just to drill down kerberos protocol and

The post Inside the Protocol: Master Kerberos Defense and Detection with Kerlab’s Rust Toolkit appeared first on Penetration Testing Tools.

The operation, identified by the Digital Forensic Research Lab (DFRLab), was part of Spamouflage, a long-running influence network linked to Beijing.

A vulnerability, which was classified as critical, has been found in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. This vulnerability is registered as CVE-2026-7216. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802120 / VDB-359817

A vulnerability classified as critical was found in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the function launch_vmd_gui_tool of the file mcp_server.py of the component VMD Launch Handler. The manipulation of the argument structure_file/trajectory_file results in command injection. This vulnerability is cataloged as CVE-2026-7215. The attack may be launched remotely. Furthermore, there is an exploit available. The project was informed of the problem early through an issue report but has not responded yet.

Submit #802090 / VDB-359816

Submit #802087 / VDB-359815

The United States Cybersecurity and Infrastructure Security Agency (CISA) has once again augmented its repository of vulnerabilities identified

The post Under Active Fire: CISA Warns of New Exploits in Samsung, SimpleHelp, and D-Link Hardware appeared first on Penetration Testing Tools.

An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. [...]

2026 年 4 月 22 日，网络安全研究人员发现了一个影响所有基于 Firefox 内核浏览器的严重隐私漏

An oversight within a security remediation has inadvertently carved a novel path for exploitation. While the developers successfully

The post The Zero-Click Ghost: How an Incomplete Patch Left Windows Open to Fancy Bear’s Credential Theft appeared first on Penetration Testing Tools.

A vulnerability classified as critical has been found in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function read_file/write_file/list_files/file_inf of the file src/server.py. The manipulation of the argument WORKSPACE_PATH leads to path traversal. This vulnerability is listed as CVE-2026-7214. The attack may be initiated remotely. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

DNS-фильтрация не требует установки приложений, но может ошибочно блокировать легальные сайты.

A Chinese national accused of being a member of a state-backed hacking group that allegedly broke into systems to steal COVID-19 vaccine information has been extradited to the U.S. from Milan.

Security researchers at Kaspersky Lab have identified a surreptitious methodology within Windows to obtain absolute systemic hegemony—a vulnerability

The post The “Unpatchable” Ghost: How PhantomRPC Turns Windows Architecture Against Itself for SYSTEM Control appeared first on Penetration Testing Tools.