CVE-2026-24779:vLLM多模态解析不一致SSRF后端调用链精解
漏洞简介vLLM 是大型语言模型(LLM)的推理和服务引擎。在 0.14.1 版本之前,vLLM 项目多模态功能集中的“MediaConnector”类别存在SSRF漏洞。load_from_url和load_from_url_async方法通过用户提供的URL获取和处理媒体,在限制目标主机时使用不同的Python解析库。这两个解析库对反斜线有不同的解释,这使得可以绕过主机名的限制。这使得攻击者能
Aggregator
AI自动化漏洞修复技术探索及实践
10 hours 31 minutes ago
自动化漏洞检测工具(如模糊测试、静态分析工具)已广泛应用,但漏洞修复仍严重依赖安全专家人工经验,形成“检测快、修复慢”的效率失衡,大量漏洞长期未修复,成为安全防护体系的核心薄弱环节。本文提出一种基于AI Agent及Workflow实现漏洞根源修复的端到端自动化技术,突破传统修复方案瓶颈。
DeepAudit源码深度解析
10 hours 31 minutes ago
对DeepAudit的架构以及实现进行了分析
某OA系统0Day审计过程
10 hours 35 minutes ago
某OA系统0Day审计过程
CVE-2026-1470:n8n 原型链沙箱逃逸RCE后端调用链精解
10 hours 35 minutes ago
漏洞简介n8n 在其工作流表达式评估系统中存在一个关键的远程代码执行(RCE)漏洞。经过认证的用户在工作流配置过程中提供的表达式,可以在与底层运行时隔离不足的执行上下文中进行评估。 经过认证的攻击者可能会滥用这种行为,以n8n进程的权限执行任意代码。成功的利用可能导致受影响实例的全面入侵,包括未经授权访问敏感数据、修改工作流程以及系统级作的执行。漏洞影响评分:9.9版本:<1.123.17,
CVE-2026-1470:n8n 原型链沙箱逃逸RCE漏洞详细分析
10 hours 35 minutes ago
漏洞来源漏洞描述n8n 的工作流表达式求值系统存在严重的远程代码执行 (RCE) 漏洞。已认证用户在工作流配置期间提供的表达式可能会在与底层运行时隔离不足的执行上下文中进行求值。已认证的攻击者可以利用此漏洞,以 n8n 进程的权限执行任意代码。成功利用此漏洞可能导致受影响实例完全被攻陷,包括未经授权访问敏感数据、修改工作流以及执行系统级操作。漏洞分析漏洞入口点在packages/cli/src/s
一款可实时篡改支付二维码的木马程序分析
10 hours 35 minutes ago
使用相同技术原理,可实现篡改支付宝收款二维码、微信收款二维码的效果
SmarterMain未授权RCE(CVE-2026-24423)漏洞代码分析
10 hours 35 minutes ago
漏洞描述这是SmarterMain的一个未授权RCE漏洞,出现RCE的位置为ConnectToHub API method,具体的漏洞描述如下图所示:环境搭建这里我直接用的docker搭建的环境,命令如下:然后是.net的反编译工具,我使用的是Rider以及dotPeet,这个就凭个人喜好下载了。漏洞代码分析因为.Net的路由大部分都在MailService.dll,所以可以直接看到这个dll中
Dokploy v0.26.6 命令注入漏洞挖掘记录
10 hours 35 minutes ago
Dokploy v0.26.6 命令注入漏洞挖掘记录
【AI赋能】MCP+Skill能力下的前端JS逆向自动化落地
10 hours 35 minutes ago
结合chrome-devtools-mcp的能力并加上Skill的规范,实现JSRPC+Flask+autoDecoder方案的前端JS逆向自动化分析,提升JS逆向的效率
MindsDB Pickle 反序列化远程代码执行漏洞挖掘
10 hours 36 minutes ago
MindsDB Pickle 反序列化远程代码执行漏洞挖掘
Orval MSW Route Path Injection 漏洞挖掘
10 hours 36 minutes ago
Orval MSW Route Path Injection 漏洞挖掘
CVE-2025-15556 | Notepad++ up to 8.8.8 WinGUp updater code download (EUVD-2025-206661 / CNNVD-202602-526)
10 hours 36 minutes ago
A vulnerability described as problematic has been identified in Notepad++ up to 8.8.8. Affected by this vulnerability is an unknown functionality of the component WinGUp updater. Such manipulation leads to download of code without integrity check.
This vulnerability is listed as CVE-2025-15556. The attack may be performed from remote. There is no available exploit.
Upgrading the affected component is recommended.
vuldb.com
CVE-2026-0909 | WP ULike Plugin up to 4.8.3.1 on WordPress wp_ulike_delete_history_api ID resource injection (EUVD-2026-5173)
10 hours 36 minutes ago
A vulnerability marked as problematic has been reported in WP ULike Plugin up to 4.8.3.1 on WordPress. This vulnerability affects the function wp_ulike_delete_history_api. This manipulation of the argument ID causes improper control of resource identifiers.
This vulnerability appears as CVE-2026-0909. The attack may be initiated remotely. There is no available exploit.
vuldb.com
CVE-2025-8456 | Kod8 Individual and SME Website up to 03022026 cross site scripting (EUVD-2025-206660)
10 hours 36 minutes ago
A vulnerability was found in Kod8 Individual and SME Website up to 03022026 and classified as problematic. Affected by this vulnerability is an unknown functionality. Such manipulation leads to cross site scripting.
This vulnerability is referenced as CVE-2025-8456. It is possible to launch the attack remotely. No exploit is available.
vuldb.com
CVE-2026-24052 | anthropics claude-code up to 1.0.110 WebFetch startsWith redirect (GHSA-vhw5-3g5m-8ggf / EUVD-2026-5172)
10 hours 36 minutes ago
A vulnerability marked as problematic has been reported in anthropics claude-code up to 1.0.110. Impacted is the function startsWith of the component WebFetch. This manipulation causes open redirect.
This vulnerability appears as CVE-2026-24052. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
vuldb.com
CVE-2025-8461 | Seres syWEB up to 03022026 cross site scripting (EUVD-2025-206659)
10 hours 36 minutes ago
A vulnerability has been found in Seres syWEB up to 03022026 and classified as problematic. Affected is an unknown function. This manipulation causes cross site scripting.
The identification of this vulnerability is CVE-2025-8461. It is possible to initiate the attack remotely. There is no exploit available.
vuldb.com
CVE-2026-0536 | Autodesk 3ds Max up to 2026.3.1 GIF File Parser out-of-bounds write
10 hours 49 minutes ago
A vulnerability, which was classified as critical, has been found in Autodesk 3ds Max up to 2026.3.1. Affected is an unknown function of the component GIF File Parser. The manipulation leads to out-of-bounds write.
This vulnerability is uniquely identified as CVE-2026-0536. The attack is possible to be carried out remotely. No exploit exists.
It is advisable to upgrade the affected component.
vuldb.com
CVE-2026-25532 | Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2 wpabuf_put_data frag_len integer underflow (GHSA-m2h2-683f-9mw7)
10 hours 49 minutes ago
A vulnerability classified as problematic was found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. This impacts the function wpabuf_put_data. Executing a manipulation of the argument frag_len can lead to integer underflow.
This vulnerability is handled as CVE-2026-25532. The attack can only be done within the local network. There is not any exploit available.
Upgrading the affected component is advised.
vuldb.com
CVE-2026-25508 | Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2 BLE Provisioning Transport protocomm_ble out-of-bounds (GHSA-9j5x-rf36-54x9)
10 hours 49 minutes ago
A vulnerability classified as critical has been found in Espressif ESP-IDF 5.1.6/5.2.6/5.3.4/5.4.3/5.5.2. This affects the function protocomm_ble of the component BLE Provisioning Transport. Performing a manipulation results in out-of-bounds read.
This vulnerability is known as CVE-2026-25508. Access to the local network is required for this attack. No exploit is available.
It is recommended to upgrade the affected component.
vuldb.com