Aggregator

本文详细剖析了一个由配置失误（JWT 密钥硬编码）与后端沙箱设计缺陷导致RCE

随着 Claude Code 的普及，大量用户选择通过第三方中转站（API Proxy）来使用 Claude 模型。然而，中转站作为用户与官方 API 之间的中间层，天然具备篡改请求和响应的能力。本文将从上下文空间异常、模型造假、提示词投毒三个维度，揭示中转站可能存在的安全风险，并给出对应的检测方法。

Кликнул на сообщение — потерял все пароли, токены 2FA и три месяца переписки.

Name: PolyPwnCTF 2026 (an PolyPwnCTF event.)
Date: March 21, 2026, 10 a.m. — 21 March 2026, 21:00 UTC  [add to calendar]
Format: Jeopardy
On-site
Location: Polytechnique Montréal
Offical URL: https://polypwn.polycyber.io/
Rating weight: 0.00
Event organizers: PolyCyber

Name: ZeroDays CTF 2026 (an ZeroDays CTF event.)
Date: March 21, 2026, 10 a.m. — 21 March 2026, 17:00 UTC  [add to calendar]
Format: Jeopardy
On-site
Location: Dublin, Ireland
Offical URL: http://www.zerodays.ie/
Rating weight: 0
Event organizers: Ireland without the RE

Name: Undutmaning 2026 (an Undutmaning event.)
Date: March 21, 2026, 11 a.m. — 21 March 2026, 19:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://undutmaning.se/
Rating weight: 33.00
Event organizers: Undutmaning

BLE 蓝牙协议：对智能设备的BLE抓包实战 (HCI + 空口)

基于ICSim模拟can总线来学习车辆网安全，学习伪造攻击和重放攻击基础

更近一步的针对protobuf协议分析的技巧的总结

PSWA 是 Windows Server 2012 中引入的一个 Windows Server 功能，作为一个网关，提供基于网页的 PowerShell 控制台。它允许管理员从未运行Windows操作系统或未安装PowerShell的设备，在远程计算机上执行关键管理任务，但也有可能被滥用。

简单分享一下自己在比赛中的解题过程和理解

本文仅分享某AI项目漏洞挖掘过程，不涉及poc以及任何黑盒测试内容，感兴趣的师傅可以自行复现

为积极响应国家关于加强软件工程学科建设与系统安全人才培养的战略部署，特举办软件系统安全赛。本赛事面向大学生，聚焦大型工业软件、关键基础软件等核心领域软件漏洞的挖掘、攻击与修复，通过模拟真实场景的攻防对抗，全面提升大学生在软件系统安全领域的实战能力。 通过此项科技创新活动，有效提高学生的软件系统安全攻防水平、创新意识与团队协作精神，加强高校间的学术交流，推动软件工程与网络安全人才培养体系的深化改革和

CVE-2026-31975：Cloud CLI WebSocket Shell OS命令注入漏洞分析

Анализ трафика показал рекламу, трекеры, сторонние SDK и даже подмену серверов в одном из популярных клиентов.

该漏洞出自Xiaomi路由器BE10000 Pro 稳定版 存在授权后远程RCE漏洞

ida-pro decompile InitializeListHead

23-го апреля 2026-го года в Москве пройдет CIRF- конференция про ИБ свободная от официоза.

A vulnerability was found in phpseclib up to 1.0.26/2.0.51/3.0.49. It has been classified as problematic. Affected by this vulnerability is an unknown functionality. This manipulation causes observable timing discrepancy. The identification of this vulnerability is CVE-2026-32935. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability identified as problematic has been detected in NaturalIntelligence fast-xml-parser up to 5.5.5. Affected is the function replaceEntitiesValue. Performing a manipulation results in xml entity expansion. This vulnerability is identified as CVE-2026-33036. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.