Aggregator

Submit #808507 / VDB-362587

Submit #808490 / VDB-362586

Submit #808489 / VDB-362585

Привычные всем лазейки закрылись в самый неподходящий момент.

A vulnerability described as critical has been identified in D-Link DCS-935L up to 1.10.01. The impacted element is the function SetDeviceSettings of the file /web/cgi-bin/hnap/hnap_service of the component HNAP Service. The manipulation of the argument AdminPassword results in buffer overflow. This vulnerability is identified as CVE-2026-8260. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability categorized as problematic has been discovered in Open5GS up to 2.7.7. The affected element is the function ogs_nas_parse_qos_rules of the component SMF. Executing a manipulation can lead to denial of service. This vulnerability is handled as CVE-2026-8270. The attack can be executed remotely. Additionally, an exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability identified as critical has been detected in D-Link DNS-320 2.06B01. The impacted element is the function cgi_speed/cgi_dhcpd_lease/cgi_ddns/cgi_set_ip/cgi_upnp_del/cgi_dhcpd/cgi_upnp_add/cgi_upnp_edit of the file /cgi-bin/network_mgr.cgi. The manipulation leads to os command injection. This vulnerability is uniquely identified as CVE-2026-8271. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability labeled as critical has been found in D-Link DNS-320 2.06B01. This affects the function delete/rename/copy/move/chmod/chown of the file /cgi-bin/webfile_mgr.cgi. The manipulation results in os command injection. This vulnerability was named CVE-2026-8272. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability marked as critical has been reported in D-Link DNS-320 2.06B01. This impacts the function cgi_set_host/cgi_set_ntp/cgi_fan_control/cgi_merge_user of the file /cgi-bin/system_mgr.cgi. This manipulation causes os command injection. The identification of this vulnerability is CVE-2026-8273. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as critical has been identified in npitre cramfs-tools up to 2.1. Affected is the function do_directory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. This vulnerability is referenced as CVE-2026-8274. The attack can only be performed from a local environment. Furthermore, an exploit is available. Upgrading the affected component is recommended.

A vulnerability classified as problematic has been found in bettercap up to 2.41.5. Affected by this vulnerability is the function ippReadChunkedBody of the file modules/zerogod/zerogod_ipp_primitives.go of the component zerogod IPP Service. Performing a manipulation results in integer coercion error. This vulnerability is identified as CVE-2026-8275. The attack can be initiated remotely. Additionally, an exploit exists. To fix this issue, it is recommended to deploy a patch.

A vulnerability classified as problematic was found in bettercap up to 2.41.5. Affected by this issue is some unknown functionality of the file modules/mysql_server/mysql_server.go of the component MySQL Server. Executing a manipulation can lead to integer coercion error. This vulnerability is tracked as CVE-2026-8276. The attack can be launched remotely. Moreover, an exploit is present. It is advisable to implement a patch to correct this issue.

A vulnerability identified as problematic has been detected in zephyrproject-rtos Zephyr up to 4.3. Affected is an unknown function of the component ClientHello Handler. This manipulation causes algorithm downgrade. This vulnerability is handled as CVE-2026-1677. The attack can be initiated remotely. There is not any exploit available.

A vulnerability categorized as critical has been discovered in Custom css-js-php Plugin up to 2.0.7 on WordPress. This impacts the function eval. The manipulation results in code injection. This vulnerability is known as CVE-2026-6433. It is possible to launch the attack remotely. No exploit is available.

背景CVE-2026-41940 是一个影响 cPanel & WHM 的高危未授权认证绕过漏洞。

《愤怒的小鸟（Angry Birds）》、EA Sports FIFA International Soccer、《勇者斗恶龙（Dragon Quest）》和《寂静岭》四款游戏进入了美国 The Strong 国家游戏博物馆的游戏名人堂。其它几款入围的游戏包括了《青蛙过河（Frogger）》、《小蜜蜂（Galaga）》、《英雄联盟》、《洛克人》、《说唱狗啪啦啪(PaRappa the Rapper)》、《符文之地（RuneScape）》、《上古卷轴V：天际》和《心跳回忆（Tokimeki Memorial）》。

根据美国劳工部的数据，美国 IT 行业 4 月的失业率从 3 月的 3.6% 升至 3.8%。4 月美国新增就业岗位 11.5 万个，失业率维持在 4.3%，但 IT 行业减少了 1.3 万个工作岗位。现在断言 AI 对整体就业的影响还为时尚早，但美国科技公司在宣布裁员时都将 AI 作为其中一个理由：Meta 4 月 宣布将裁员 10% 约 8000 人，理由是精简运营以及支付 AI 领域的巨额投资；耐克裁员 1400 人，主要集中在 IT 部分；等等。招聘平台 Indeed 称软件开发者的职位发布量同比增长了 15%，但雇主倾向于经验丰富的开发者，而不是应届生。

A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart released by OpenAI late last month (openai/privacy-filter), including copying the entire description

Instagram removes direct messages (DM) end-to-end encryption May 8, 2026, letting Meta access chats. Users should download backups amid privacy concerns and U.S. law pressure. Starting May 8, 2026, Instagram users who previously enabled end-to-end encryption in direct messages will lose that protection, marking a significant shift in how private conversations are handled on the […]