Aggregator
下一个网络安全难题:智能体验证
1 month 2 weeks ago
网络安全的下一个重大前沿课题不是如何保护人工智能,而是如何信任它。
AI时代的供应链安全:从CISA指南看企业风险管理的新边界
1 month 2 weeks ago
美国网络安全和基础设施安全局(CISA)及其G7合作伙伴发布了关于AI软件物料清单(AI SBOM)的最低要素指南。
ChromaToast Exploit: Unpatched CVSS 10.0 Flaw Grants Pre-Auth RCE in ChromaDB Python Server
1 month 2 weeks ago
A critical authentication bypass vulnerability facilitating unauthenticated remote code execution (RCE) has been isolated within the ChromaDB architecture.
The post ChromaToast Exploit: Unpatched CVSS 10.0 Flaw Grants Pre-Auth RCE in ChromaDB Python Server appeared first on Information Security News.
ddos
The Silent Blackout: Unpatched Huawei Router Zero-Day Crushed Luxembourg’s Telecom Grid
1 month 2 weeks ago
During the previous summer season, the sovereign nation of Luxembourg suffered a catastrophic, near-total collapse of its domestic
The post The Silent Blackout: Unpatched Huawei Router Zero-Day Crushed Luxembourg’s Telecom Grid appeared first on Information Security News.
ddos
GitHub links repo breach to TanStack npm supply-chain attack
1 month 2 weeks ago
GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]
Sergiu Gatlan
RTX 5090DV2 显卡列入封禁清单
1 month 2 weeks ago
上周五,中国海关将去年 8 月英伟达为通过美国出口管制规定而推出的 RTX 5090DV2 显卡列入封禁清单。该清单最初包括 H200 和 H20。H20 是英伟达此前在中国市场销售的另一款中国特供芯片。在京东和淘宝等主要电商平台,RTX 5090DV2 仍在销售,价格在 1.8 万-2.2 万元之间,意味着现有库存仍然能正常销售,但随着进口的消失,其数量将会越来越少。
GitHub 被黑或因员工安装 Nx Console 恶意扩展引发,更多详情待调查
1 month 2 weeks ago
事件仍在调查中
思科:速修复满分 Secure Workload 未授权 API 访问漏洞
1 month 2 weeks ago
速修复
Discord adds end-to-end encryption to voice and video calls by default
1 month 2 weeks ago
Discord now enables end-to-end encryption by default for all voice and video calls, making conversations inaccessible even to the platform itself. No announcement fanfare, no opt-in required, no settings to dig through. Discord flipped a switch on Monday and end-to-end encryption is now the default for every voice and video call on the platform. If […]
Pierluigi Paganini
Гайд. Как выбрать DLP-систему в 2026 году
1 month 2 weeks ago
Почему старые критерии больше не работают и на что обратить внимание сейчас
疑似Coruna卷土重来:npm包art-template遭供应链攻击沦为iOS漏洞投送工具
1 month 2 weeks ago
攻击者通过伪装成“接手维护”的方式获取开源项目art-template的控制权,随后在其4.13.5和4.13.6版本中植入恶意代码。该恶意代码在被下游应用调用时,会在用户浏览器中注入远程脚本加载器,将iOS Safari用户重定向至包含类似Coruna漏洞利用框架的水坑站点。
注意喚起: TrendAI Apex Oneなどのトレンドマイクロ製品における複数の脆弱性に関する注意喚起 (公開)
1 month 2 weeks ago
Google 意外公开了未修复 Chromium 漏洞的利用代码
1 month 2 weeks ago
Google 周三公开了一个未修复 Chromium 漏洞的利用代码。该漏洞影响所有使用基于 Chromium 浏览器的用户。独立安全研究员 Lyra Rebane 在 2022 年底向 Google 报告了漏洞,但 29 个月后它仍然没有修复。本周三上午 Google 向 Chromium 的 bug 跟踪系统披露了漏洞,Rebane 一开始以为漏洞已经修复了,结果发现根本没有。Google 虽然之后删除了帖子,但其内容已被其它网站存档。该漏洞滥用了 Chromium 的 Browser Fetch API 打开一个持续活动的 Service Worker,恶意网站可通过 JavaScript 触发该 Service Worker 创建连接,监视用户的部分活动,它还可作为代理访问网站和发起 DDoS 攻击。安全研究人员认为这是一个严重的漏洞,它实际上相当于一个受限的后门,将浏览器变成僵尸网络的一部分。
30 лет курортных архивов в руках мошенников. Системы бронирования подтвердили кражу данных о клиентах
1 month 2 weeks ago
Взломщикам достались домашние адреса, телефоны и маршруты поездок миллионов семей.
Linux ELF Shellcode 生成与 Fileless 实战
1 month 2 weeks ago
半块西瓜皮
CVE-2026-1543 | themefusion Avada Builder Plugin up to 3.15.2 on WordPress Dynamic Data Feature cross site scripting
1 month 2 weeks ago
A vulnerability was found in themefusion Avada Builder Plugin up to 3.15.2 on WordPress and classified as problematic. This issue affects some unknown processing of the component Dynamic Data Feature. Executing a manipulation can lead to cross site scripting.
The identification of this vulnerability is CVE-2026-1543. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
vuldb.com
CVE-2026-2734 | MLflow up to 3.9.x REST API BEFORE_REQUEST_VALIDATORS/AFTER_REQUEST_HANDLERS access control
1 month 2 weeks ago
A vulnerability has been found in MLflow up to 3.9.x and classified as critical. This vulnerability affects unknown code of the component REST API. Performing a manipulation of the argument BEFORE_REQUEST_VALIDATORS/AFTER_REQUEST_HANDLERS results in improper access controls.
This vulnerability was named CVE-2026-2734. The attack may be initiated remotely. There is no available exploit.
The affected component should be upgraded.
vuldb.com
CVE-2026-6279 | themefusion Avada Builder Plugin up to 3.15.2 on WordPress AJAX Endpoint get_value injection
1 month 2 weeks ago
A vulnerability, which was classified as critical, was found in themefusion Avada Builder Plugin up to 3.15.2 on WordPress. This affects the function Fusion_Builder_Conditional_Render_Helper::get_value of the component AJAX Endpoint. Such manipulation leads to injection.
This vulnerability is uniquely identified as CVE-2026-6279. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
vuldb.com
Capture The Flag — ВСЁ. Нейросети превратили турниры по безопасности в состязание кошельков
1 month 2 weeks ago
Объективно измерить подлинные навыки теперь абсолютно невозможно.