Aggregator

Подростки больше не мыслят — они бездумно цитируют TikTok и ChatGPT.

Submit #583562 / VDB-310916

Vet is an open source tool designed to help developers and security engineers spot risks in their software supply chains. It goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. Vet supports several ecosystems, including npm, PyPI, Maven, Go, Docker, and GitHub Actions, making it useful across many types of projects. One of Vet’s key features is its use of real-time malicious package detection, powered by SafeDep Cloud. It also … More →

The post Vet: Open-source software supply chain security tool appeared first on Help Net Security.

微软、CrowdStrike、Palo Alto Networks 和 Google 周一宣布将创建一个公共词汇表，规范国家支持黑客组织和网络犯罪分子的绰号，以减少不同公司为同一个黑客组织起不同绰号所引发的混淆。安全公司都制定了自己的命名规范，以微软为例，它将来自中国的黑客组织都起了 Typhoon 的姓，但其他安全公司如 CrowdStrike 可能会将同一个组织冠上 Panda 的姓。安全行业的部分人士对微软和 Google 等公司的标准化尝试不以为然。

A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_handle_path_switch_request_transfer of the file src/smf/ngap-handler.c of the component NGAP PathSwitchRequest Message Handler. The manipulation leads to reachable assertion. This vulnerability is known as CVE-2025-5501. The attack can be launched remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

Submit #582265 / VDB-310915

A vulnerability classified as critical has been found in slackero phpwcms up to 1.9.45/1.10.8. Affected is the function is_file/getimagesize of the file image_resized.php. The manipulation of the argument imgfile leads to deserialization. This vulnerability is traded as CVE-2025-5499. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been rated as critical. This issue affects the function file_get_contents/is_file of the file include/inc_lib/content/cnt21.readform.inc.php of the component Custom Source Tab. The manipulation of the argument cpage_custom leads to deserialization. The identification of this vulnerability is CVE-2025-5498. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in slackero phpwcms up to 1.9.45/1.10.8. It has been declared as critical. This vulnerability affects unknown code of the file include/inc_module/mod_feedimport/inc/processing.inc.php of the component Feedimport Module. The manipulation of the argument cnt_text leads to deserialization. This vulnerability was named CVE-2025-5497. The attack can be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Submit #578083 / VDB-310914

Submit #578082 / VDB-310914

Submit #578055 / VDB-310913

Submit #578054 / VDB-310913

Submit #577999 / VDB-310912

A vulnerability was found in Netgear WNR614 1.1.0.28_1.0.1WW. It has been classified as critical. This affects an unknown part of the component URL Handler. The manipulation with the input %00currentsetting.htm leads to improper authentication. This vulnerability is uniquely identified as CVE-2025-5495. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This issue appears to have been circulating as an 0day since 2024.

Context-Driven Insights, Automation Fuel Faster, Clearer Decisions for Cyber Teams
With its acquisition of San Francisco-based startup Fletch, F5 is embedding agentic AI into its security platform to automate threat detection and response. The technology provides real-time context, filters irrelevant alerts and helps security teams prioritize urgent risks and mitigation tasks.

Dutch Semiconductor Sector Among Chinese Targets
Chinese nation state groups ramped up espionage campaigns against Dutch critical infrastructure in recent months, said a state official who added that discussions are underway in the European Union on how to minimize Chinese threats.

Researchers in Proof of Concept Show Exploit Potential for Widely Used Software
Technical details for a recently patched maximum-severity vulnerability in Cisco IOS XE reveal how hackers can enable remote code execution if the flaw is exploited. The vulnerability is an arbitrary file upload triggered by a hardcoded JSON Web Token.

DHS Budget Proposal Reduces CISA’s Operational Core Amid Growing Global Threats
The Trump administration’s 2026 Homeland Security Department budget would cut $500 million from the Cybersecurity and Infrastructure Security Agency, eliminating over a third of its staff and gutting key programs central to federal cybersecurity and private sector engagement efforts.

A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. This rule was established to ensure shareholders are properly informed and potential victims receive timely notice so they can take protective action, which wasn’t happening consistently before the rule … More →

The post Bankers Association’s attack on cybersecurity transparency appeared first on Help Net Security.