Aggregator

A vulnerability was found in PbootCMS up to 3.2.12. It has been declared as critical. Affected by this issue is some unknown functionality of the file apps/admin/controller/system/UserController.php of the component Backend. Executing a manipulation of the argument Field can lead to improper access controls. This vulnerability appears as CVE-2026-4514. The attack may be performed from remote. In addition, an exploit is available.

Submit #773907 / VDB-352079

A vulnerability was found in vanna-ai vanna up to 2.0.2. It has been classified as critical. Affected by this vulnerability is the function ask of the file vanna\legacy\base\base.py. Performing a manipulation results in sql injection. This vulnerability is reported as CVE-2026-4513. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in vanna-ai vanna up to 2.0.2 and classified as critical. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. This vulnerability is documented as CVE-2026-4511. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Ждать сутки и перезагружать смартфон ради одного сомнительного файла? А что, идея.

A vulnerability has been found in PbootCMS up to 3.2.12 and classified as problematic. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipulation of the argument backurl causes cross site scripting. This vulnerability is registered as CVE-2026-4510. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability, which was classified as critical, was found in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. This vulnerability is cataloged as CVE-2026-4509. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. This vulnerability is listed as CVE-2026-4508. The attack may be initiated remotely. In addition, an exploit is available.

Submit #773906 / VDB-352078

Submit #773905 / VDB-352077

美国国家网络总监肖恩·凯恩克罗斯于本周二表示，特朗普政府无意征召私营部门开展进攻性网络行动，而是希望通过与私营部门合作，助力美国政府向网络对手主动出击。 近期发布的美国国家网络战略中，提及了将激励企业干扰对手网络的相关内容。 凯恩克罗斯在奥本大学麦克里研究所主办的活动上表示：“我所说的，并非让私营部门、行业或企业开展进攻性网络行动。我所指的，是私营部门的技术能力——即他们凭借自身掌握的信息，照亮网络战场、共享情报信息，从而帮助美国政府提前响应、抢占先机的能力。” 近年来，美国共和党部分圈子重新兴起了一种呼声：支持美国企业针对恶意黑客开展破坏性或进攻性行动，或至少为美国政府的进攻性网络行动提供协助。部分企业也已对此表现出兴趣，尤其是如果相关法律做出调整、让此类行动更具合法性的话。 这一趋势与特朗普政府官员日益高涨的呼声同步——如今随着网络安全战略的发布，官方明确提出要对黑客采取主动进攻姿态。但凯恩克罗斯再次强调，战略中“塑造对手行为”的核心支柱，不仅限于开展进攻性网络行动，还包括动用法律、外交等其他政府机制向黑客施压。 他表示，在私营部门的协助下，美国政府能够“以更灵活的方式”影响对手的“风险权衡”。 凯恩克罗斯称：“私营部门拥有极为强大的能力，而如今美国政府手握‘长矛’……我们正在寻求真正的合作关系。” 美国政府向网络对手主动出击的重要途径之一，是联邦调查局（FBI）用于削弱对手能力的“联合有序行动”。在同一场活动上，FBI网络安全部负责人也表示，私营部门是此类行动的核心关键。 FBI网络安全部主管布雷特·莱瑟曼称：“我刚才提到的、FBI针对俄罗斯、伊朗及其他国家对手开展的、旨在清除其网络能力的每一次联合有序行动，之所以能够落地，都是因为有受害者站出来与FBI配合。” 他向在场听众呼吁：“我想给所有人的一个核心建议是：‘一旦发生数据泄露，你联系当地FBI办事处的预案是什么？’我可以明确说，这么做几乎不会给你带来任何法律责任，我们也很乐意与你的外部或内部法律顾问沟通；但反过来，这么做能给你带来的收益极为可观。” 本次官方澄清，核心是回应外界对特朗普政府新国家网络战略的最大争议：是否会放开对私营企业“黑客反击（Hack Back）”的法律限制。

Submit #773904 / VDB-352076

Submit #773901 / VDB-352075

Submit #773900 / VDB-352074

The Justice Department said on Thursday evening that the Aisuru, KimWolf, JackSkid and Mossad botnets were used to target victims with distributed denial-of-service (DDoS) attacks that overloaded websites and made them unreachable.

The Aisuru, Kimwolf, JackSkid and Mossad botnets enabled cybercriminals to initiate thousands of attacks. A crackdown targeting large-scale botnets continues amid growing challenges.

The post Justice Department disrupts botnet networks that hijacked 3 million devices appeared first on CyberScoop.