Aggregator

A vulnerability identified as critical has been detected in NousResearch hermes-agent 0.8.0. Affected by this vulnerability is the function _check_auth of the file gateway/platforms/api_server.py of the component API_SERVER_KEY Handler. The manipulation leads to improper authentication. This vulnerability is documented as CVE-2026-7112. The attack can be initiated remotely. Additionally, an exploit exists. The project was informed of the problem early through a pull request but has not reacted yet.

A vulnerability marked as critical has been reported in Apache Camel up to 4.14.5/4.18.1. This vulnerability affects unknown code of the component Camel-Platform-HTTP-Main. Performing a manipulation results in improper authentication. This vulnerability is cataloged as CVE-2026-40022. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in NousResearch hermes-agent 0.8.0. Affected by this issue is some unknown functionality of the file gateway/platforms/webhook.py of the component Webhooks Endpoint. The manipulation of the argument _INSECURE_NO_AUTH results in missing authentication. This vulnerability is reported as CVE-2026-7113. The attack can be launched remotely. Moreover, an exploit is present. The project was informed of the problem early through a pull request but has not reacted yet.

A vulnerability categorized as critical has been discovered in Apache Camel up to 4.14.5/4.18.0. Affected by this vulnerability is an unknown functionality of the component camel-consul ConsulRegistry. The manipulation of the argument malicious results in deserialization. This vulnerability is identified as CVE-2026-27172. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability identified as critical has been detected in Apache Camel up to 4.14.4/4.18.0. Affected by this issue is some unknown functionality of the component CoAP URI Query Parameter Handler. This manipulation causes injection. This vulnerability is tracked as CVE-2026-33453. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability, which was classified as critical, was found in Directorist Booking Plugin up to 2.4.1 on WordPress. Affected by this vulnerability is an unknown functionality. Such manipulation leads to sql injection. This vulnerability is referenced as CVE-2026-22336. It is possible to launch the attack remotely. No exploit is available.

A vulnerability marked as critical has been reported in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. This manipulation of the argument ID causes sql injection. This vulnerability appears as CVE-2026-7114. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability described as critical has been identified in code-projects Employee Management System 1.0. This vulnerability affects unknown code of the file 370project/delete.php. Such manipulation of the argument ID leads to sql injection. This vulnerability is traded as CVE-2026-7115. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Directorist Social Login Plugin up to 2.1.1 on WordPress and classified as critical. Affected by this issue is some unknown functionality. Performing a manipulation results in improper authentication. This vulnerability is identified as CVE-2026-22337. The attack can be initiated remotely. There is not any exploit available.

 

The post Scaling Our Vision: Welcoming Tamar Nulman and Omri Arnon to the Legit Team appeared first on Security Boulevard.

A vulnerability labeled as problematic has been found in PJSIP up to 2.11.1. Affected by this issue is some unknown functionality of the component RTP/RTCP. Executing a manipulation can lead to out-of-bounds read. This vulnerability appears as CVE-2022-21722. The attack may be performed from remote. There is no available exploit. A patch should be applied to remediate this issue.

A vulnerability marked as problematic has been reported in PJSIP up to 2.11.1. This affects an unknown part of the component SIP Message. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2022-21723. It is possible to initiate the attack remotely. There is no exploit available. To fix this issue, it is recommended to deploy a patch.

A vulnerability was found in Spark 1.3.x. It has been declared as problematic. Impacted is an unknown function of the component Zinc Server. The manipulation as part of Request results in improper input validation. This vulnerability is reported as CVE-2018-11804. The attack can be launched remotely. No exploit exists.

A vulnerability labeled as critical has been found in Flatpak up to 1.10.5/1.12.2. Affected by this vulnerability is an unknown functionality. The manipulation results in path traversal. This vulnerability is known as CVE-2022-21682. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

A vulnerability identified as critical has been detected in PuddingBot up to 0.0.6-b933652. This vulnerability affects unknown code of the file main.py. Performing a manipulation results in hard-coded credentials. This vulnerability is reported as CVE-2022-21669. The attacker must have access to the local network to execute the attack. No exploit exists.

2025 年 3 月科学家在《科学》期刊上发表研究，Xerces Society for Invertebrate Conservation 保护协会随后发表了蝴蝶现状报告。研究发现，从 2000 年到 2020 年全美蝴蝶总数下降了 22%，有 24 种蝴蝶数量下降 90% 或以上。杀虫剂被认为是导致这一结果的主要原因。1960 年代化学公司研制出了强效杀虫剂滴滴涕（DDT），公众对滴滴涕的反对促使企业研制出弱化对人类伤害但强化对昆虫杀伤力的新杀虫剂。多种混合型杀虫剂的使用导致蝴蝶等昆虫在 21 世纪加速减少。生态学家 Matt Forister 等人在《Environmental Toxicology and Chemistry》期刊上报告，他们分析了 336 株植物只有 22 株植物没有检测到农药残留。这些植物至少含有三种化学物质，其中 71 株植物的农药浓度对蝴蝶而言是致命或接近致命。在 2022 年的一项类似研究中，Forister 团队分析了 33 家苗圃出售的 235 株乳草（对帝王蝶至关重要的植物），发现每株植物平均含有 12.2 种杀虫剂。

A new phishing campaign is actively targeting Indian taxpayers and businesses by impersonating the Income Tax Department of India. Threat actors have built convincing fake websites that look nearly identical to official government portals, using urgent language to pressure victims into downloading malware-laced files without hesitation. The attack relies on a fraudulent website displaying the […]

The post Hackers Using Fake Income Tax Department’s Notice to Deploy Malware appeared first on Cyber Security News.

Зафиксированы массовые атаки на устаревшее оборудование D-Link с использованием свежей уязвимости.

China-sponsored threat groups like Salt Typhoon and Flax Typhoon are increasingly relying on multiple massive botnets comprising edge and IoT devices to run their cyber espionage and network intrusion campaigns, CISA and other security agencies say. The use of such "covert networks" makes it more difficult to detect and mitigate their campaigns.

The post China-Backed Groups are Using Massive Botnets in Espionage, Intrusion Campaigns appeared first on Security Boulevard.

这是一篇迟到的文章，至少相比现在AI发展的速度，但其思路依然适用于当前的CVE漏洞分析，甚至会因为目前更强的模型而变得更强。在 AI 技术快速变革的当下，除了模型能力之外，我们更应当多思考如何基于 AI 构建和形成有效的工作流。