Aggregator

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内，并且不需要特定的开头。首先，我得仔细阅读用户提供的文章内容。 文章主要讲的是iOS版ChatGPT应用中存在一个逻辑漏洞。具体来说，OpenAI在验证Apple Pay收据时，虽然检查了加密的真实性，但没有验证购买者的Apple ID是否与接收Plus升级的账户匹配。这意味着只要有有效的已付款收据，就可以在任何账户上激活ChatGPT Plus，而不管原始购买者是谁。 这个漏洞带来的影响是，只需一份约2.5-3美元的收据，就能在无限数量的账户上激活Plus服务。这不仅导致收入损失，还可能引发不公平的系统滥用。文章还建议了一些缓解措施，比如将收据绑定到购买者身份、限制收据只能使用一次，以及添加设备或账户指纹识别。 接下来，我需要将这些信息浓缩到100字以内。首先确定关键点：漏洞的位置、问题所在、影响以及建议的解决方案。然后用简洁的语言把这些点连贯起来。 可能的结构是：先说明漏洞的存在和问题，接着描述影响，最后提到缓解措施。这样既全面又简洁。 现在试着组织语言：“iOS版ChatGPT应用存在逻辑漏洞：OpenAI未验证Apple Pay收据与购买者Apple ID匹配。这导致有效收据可在任何账户激活Plus服务，只需约2.5-3美元即可无限激活，造成收入损失和滥用风险。建议措施包括绑定身份、限制单次使用及指纹识别。” 检查一下字数是否在100字以内，并且没有使用“文章内容总结”之类的开头。看起来符合要求。 iOS版ChatGPT应用存在逻辑漏洞：OpenAI未验证Apple Pay收据与购买者Apple ID匹配。这导致有效收据可在任何账户激活Plus服务，只需约2.5-3美元即可无限激活，造成收入损失和滥用风险。建议措施包括绑定身份、限制单次使用及指纹识别。

Альтернативный клиент связали с зависшими обновлениями iOS 26.4.1, хотя прямых доказательств причины пока нет.

OpenAI has officially launched the expanded phase of its Trusted Access for Cyber program. Granting select organizations access to its specialized GPT-5.4-Cyber model to strengthen digital defenses across critical infrastructure, financial services, and open-source security communities. The program operates on a tiered trust model advanced AI cyber capabilities are made broadly available to defenders, but access scales based on […]

The post OpenAI Expands Cyber Defense Program With GPT-5.4-Cyber Access for Trusted Organizations appeared first on Cyber Security News.

Конец эпохи проверочных SMS?

A vulnerability has been found in vibrantlabsai RAGAS up to 0.4.3 and classified as critical. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. This vulnerability is identified as CVE-2026-6587. The attack can be initiated remotely. Additionally, an exploit exists. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #791088 / VDB-358222

A vulnerability, which was classified as critical, was found in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. This vulnerability is referenced as CVE-2026-6586. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in TransformerOptimus SuperAGI up to 0.0.14. This issue affects the function update_organisation of the file superagi/controllers/organisation.py of the component Organisation Update Endpoint. This manipulation of the argument organisation_id causes authorization bypass. The identification of this vulnerability is CVE-2026-6585. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as problematic was found in TransformerOptimus SuperAGI up to 0.0.14. This vulnerability affects the function update_user of the file superagi/controllers/user.py of the component User Update Endpoint. The manipulation of the argument user_id results in authorization bypass. This vulnerability was named CVE-2026-6584. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as problematic has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation leads to authorization bypass. This vulnerability is uniquely identified as CVE-2026-6583. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as critical has been identified in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details/update_vector_db/delete_vector_db of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. This vulnerability is handled as CVE-2026-6582. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #791077 / VDB-358221

Submit #791076 / VDB-358220

Submit #791075 / VDB-358219

Submit #791074 / VDB-358218

Submit #791073 / VDB-300344

Submit #791072 / VDB-358217

Submit #791071 / VDB-300336