Aggregator

A vulnerability, which was classified as problematic, has been found in iCMS 8.0.0. The affected element is an unknown function of the file index.html of the component User Management Component. The manipulation of the argument regip/loginip leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-30661. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability classified as critical was found in FreeIPMI up to 1.16.16. Impacted is an unknown function. Executing a manipulation can lead to buffer overflow. This vulnerability is handled as CVE-2026-33554. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability classified as critical has been found in F5 NGINX Open Source and NGINX Plus. This issue affects the function ngx_stream_ssl_module. Performing a manipulation results in incorrect authorization. This vulnerability is known as CVE-2026-28755. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in F5 NGINX Open Source and NGINX Plus. This vulnerability affects the function ngx_mail_smtp_module. Such manipulation leads to crlf injection. This vulnerability is traded as CVE-2026-28753. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in F5 NGINX Open Source. This affects the function ngx_http_mp4_module. This manipulation causes integer overflow. This vulnerability appears as CVE-2026-27784. The attack requires local access. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability labeled as problematic has been found in F5 NGINX Open Source and NGINX Plus. Affected by this issue is the function ngx_http_mp4_module. The manipulation results in out-of-bounds read. This vulnerability is reported as CVE-2026-32647. The attack requires a local approach. No exploit exists. The affected component should be upgraded.

A vulnerability identified as critical has been detected in F5 NGINX Open Source and NGINX Plus. Affected by this vulnerability is the function ngx_http_dav_module of the component DAV Module. The manipulation leads to heap-based buffer overflow. This vulnerability is documented as CVE-2026-27654. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability categorized as problematic has been discovered in F5 NGINX Open Source and NGINX Plus. Affected is the function ngx_mail_auth_http_module of the component Response Header Handler. Executing a manipulation can lead to null pointer dereference. This vulnerability is registered as CVE-2026-27651. It is possible to launch the attack remotely. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability was found in Concrete CMS 9.4.7. It has been rated as problematic. This impacts the function Download of the file concrete/controllers/backend/file.php of the component File Manager. Performing a manipulation results in denial of service. This vulnerability is cataloged as CVE-2026-30662. It is possible to initiate the attack remotely. There is no exploit available.

Over 3.1M people affected as QualDerm Partners suffered a December 2025 breach, exposing personal, medical, and health insurance data. Over 3.1 million people are affected by a December 2025 data breach at QualDerm Partners, where hackers stole personal, medical, and health insurance information from the company’s internal systems. QualDerm Partners is a U.S.-based healthcare management […]

美国多个州的司机在因酒驾定罪之后如果想要继续驾车，他们需要在汽车上安装酒精检测装置，在启动汽车前测量下酒精含量，在驾驶期间还会被随机抽查。如果没有进行检测，汽车将无法启动；驾驶期间忽略或未通过检测那么汽车将会熄火。美国最流行的酒精检测装置由 Intoxalock 公司生产，这种装置只能租赁，每月费用约为 70-120 美元。3 月 14 日 Intoxalock 遭到了网络攻击，导致其基础设施完全瘫痪，意味着安装了该公司装置的司机面临汽车被锁定的问题。Intoxalock 直到 3 月 22 日才宣布其系统恢复了正常工作，它已经表示将承担系统停止工作给用户造成的开销，包括拖车费。

The US Federal Communications Commission (FCC) has imposed a ban on all new routers manufactured overseas being imported into and sold within the United States.

The post Uncle Sam closes the door on all new foreign-made routers appeared first on Help Net Security.

За 25 лет легенду не сломили ни кризисы, ни конкуренты. Broadcom хватило три года, чтобы разрушить всё.

An AI-assisted campaign is spreading more than 300 poisoned packages for diverse assets ranging from developer tools to game cheats.

Mass General Brigham 医院集团的研究人员跟踪了逾 13 万人长达 43 年，发现常适度饮用含咖啡因的咖啡或茶饮料的人，患痴呆症的风险比很少接触咖啡因的人低 18%。研究人员强调这是相关性研究，两者不具有因果关系。研究还发现，常饮用咖啡因的人在部分认知测试中的得分更高，且更少抱怨记忆力衰退。所谓适度饮用指的是每天喝两到三杯咖啡或一到两杯茶。研究报告发表在JAMA 期刊上。

The incident responders noted that there was no evidence that data was exfiltrated during the intrusion — an unusual development considering U.S. intelligence agencies previously said Pay2Key attacks were largely conducted for information theft.

Калифорнийская пивоварня устала покупать углекислый газ… и решила поймать его сама.

Organizations have spent years accumulating fragmented identity systems: too many roles, too many credentials, too many disconnected tools. For a workforce of humans, that fragmentation was manageable. Humans log in, log out, and make decisions slowly enough that gaps in control rarely turned into immediate incidents. AI agents operate differently. “AI agents change that completely,” said Ev Kontsevoy, CEO of Teleport. “Now you’re introducing non-deterministic actors that don’t sleep, don’t follow predictable paths, and can … More →

The post The AI safety conversation is focused on the wrong layer appeared first on Help Net Security.

Ghost npm campaign fakes install logs to steal sudo passwords and drop RATs that loot crypto and data

The Dutch Ministry of Finance is investigating a cyberattack that compromised some of its internal systems, officials confirmed Monday.