Aggregator

A vulnerability described as critical has been identified in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. This vulnerability is listed as CVE-2026-7196. The attack may be performed from remote. In addition, an exploit is available.

Submit #801111 / VDB-359801

Submit #801109 / VDB-359800

Medical device giant Medtronic disclosed last week that hackers breached its network and accessed data in "certain corporate IT systems." [...]

Submit #801030 / VDB-359799

A vulnerability marked as critical has been reported in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_product. This manipulation of the argument ID causes sql injection. This vulnerability is tracked as CVE-2026-7194. The attack is possible to be carried out remotely. Moreover, an exploit is present.

Opus 4.7 теперь блокирует учебники, PDF с игрушками и русский язык.

Submit #800977 / VDB-359798

A vulnerability labeled as problematic has been found in Cerberus FTP Server up to 2025.4.2/2026.0 on Windows. This affects an unknown function. The manipulation results in insecure preserved inherited permissions. This vulnerability is identified as CVE-2026-6265. The attack is only possible with local access. There is not any exploit available. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in Ribblr Crotchet and Knitting 2.5 on iOS. The impacted element is an unknown function. The manipulation leads to authorization bypass. This vulnerability is referenced as CVE-2025-15626. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability categorized as critical has been discovered in KDE Plasma. The affected element is an unknown function of the component plasma-login-manager. Executing a manipulation can lead to privilege dropping / lowering errors. The identification of this vulnerability is CVE-2026-25710. The attack can only be executed locally. There is no exploit available. It is advisable to upgrade the affected component.

A Chinese national posed as a U.S. researcher, tricking NASA staff in a phishing campaign to steal sensitive data tied to defense software and exports. A Chinese national ran a spear-phishing campaign by posing as a U.S. researcher and tricked NASA employees into sharing sensitive information. The NASA Office of Inspector General (OIG) and federal […]

BrowserGate claims LinkedIn secretly fingerprints users via extensions and device data, sending encrypted results to third parties for tracking. BrowserGate is an investigation conducted by Fairlinked (https://browsergate.eu/), an association of commercial LinkedIn users, which documents what it describes as one of the largest data breach and corporate espionage scandals in digital history. The central thesis: […]

Dozens of browser extensions openly sell user data via privacy policy disclosures

Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are. Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same

Hackers are impersonating Microsoft Teams help desk workers to trick victims into installing data-stealing malware, researchers found.

上周关注度较高的产品安全漏洞(20260420-20260426)

国家信息安全漏洞共享平台（以下简称CNVD）本周共收集、整理信息安全漏洞527个，其中高危漏洞241个、中危漏洞238个、低危漏洞48个。

Глава государства предостерег депутатов от излишних барьеров, тормозящих развитие страны

A credential-stealing malware named Vidar has quietly emerged as one of the most active threats targeting corporate employees in early 2026. Threat actors are using fake software downloads promoted through YouTube videos to trick workers into installing it on their machines, resulting in widespread theft of login credentials, browser data, and cryptocurrency wallet information. The […]

The post New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials appeared first on Cyber Security News.