Aggregator

Two recently fixed prompt injections in Salesforce Agentforce and Microsoft Copilot would have enabled an external attacker to leak sensitive data.

A vulnerability was found in fastify reply-from and http-proxy and classified as critical. The affected element is the function rewriteRequestHeaders of the component Header Handler. Such manipulation of the argument Connection leads to improper neutralization of http headers for scripting syntax. This vulnerability is traded as CVE-2026-33805. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability has been found in Beaver Builder Plugin up to 2.10.1.2 on WordPress and classified as critical. Impacted is an unknown function. This manipulation causes sql injection. This vulnerability appears as CVE-2026-40744. The attack may be initiated remotely. There is no available exploit.

A vulnerability, which was classified as critical, was found in VillaTheme COMPE Plugin up to 1.1.4 on WordPress. This issue affects some unknown processing. The manipulation results in authorization bypass. This vulnerability is reported as CVE-2026-40737. The attack can be launched remotely. No exploit exists.

A vulnerability, which was classified as critical, has been found in Themeum Tutor LMS Plugin up to 3.9.7 on WordPress. This vulnerability affects unknown code. The manipulation leads to missing authorization. This vulnerability is documented as CVE-2026-40740. The attack can be initiated remotely. There is not any exploit available.

A vulnerability classified as critical was found in ThemeGrill Demo Importer Plugin up to 2.0.0.6 on WordPress. This affects an unknown part. Executing a manipulation can lead to missing authorization. This vulnerability is registered as CVE-2026-40730. It is possible to launch the attack remotely. No exploit is available.

A vulnerability classified as critical has been found in Nelio AB Testing Plugin up to 8.2.8 on WordPress. Affected by this issue is some unknown functionality. Performing a manipulation results in missing authorization. This vulnerability is cataloged as CVE-2026-40742. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as critical has been identified in BlockArt Magazine Blocks Plugin up to 1.8.3 on WordPress. Affected by this vulnerability is an unknown functionality. Such manipulation leads to missing authorization. This vulnerability is listed as CVE-2026-40728. The attack may be performed from remote. There is no available exploit.

A vulnerability marked as critical has been reported in Mattermost up to 10.11.12/11.3.2/11.4.2/11.5.0. Affected is an unknown function. This manipulation causes time-of-check time-of-use. This vulnerability is tracked as CVE-2026-3590. The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.

ShinyHunters hackers leak 7.54 GB of Rockstar Games data from Snowflake analytics systems, confirming no player records or personal information were exposed.

4月15日，绿盟科技CERT监测到微软发布4月安全更新补丁，修复了165个安全问题，涉及Windows、Microsoft Office、Microsoft SQL Server、Microsoft .NET Framework、Azure等广泛使用的产品，其中包括权限提升、远程代码执行等高危漏洞类型。

AI辅助还原Coruna漏洞利用链混淆代码

Microsoft confirmed on Tuesday that some Windows Server 2025 devices will boot into BitLocker recovery after installing the April 2026 KB5082063 Windows security update. [...]

Mirax, a new Android RAT, spread via Meta ads, infected 220,000 users and turns devices into SOCKS5 proxies, giving attackers full remote control. Mirax is a new Android remote access trojan spreading through ads on Meta platforms, targeting mainly Spanish-speaking users and reaching over 220,000 accounts. The malicious code lets attackers fully control infected devices […]

分享一篇文章。

2026年4月15日（北京时间），微软发布了2026年4月安全更新，共发布了247个CVE的补丁程序，比上月增多了154个。

2026年4月14日，深瞳漏洞实验室监测到一则Axios组件存在服务器端伪造请求（SSRF）漏洞的信息，漏洞编号：CVE-2026-40175，漏洞威胁等级：严重。

Cybercriminals have found a quiet way to sit inside a corporate email account and read everything being sent and received — without the account owner ever knowing. Attackers are now abusing a built-in Microsoft 365 feature called mailbox rules to silently intercept business emails, redirect financial communications, and suppress security notifications, all while staying completely […]

The post Hackers Create Hidden Mailbox Rules in Microsoft 365 to Intercept Sensitive Business Emails appeared first on Cyber Security News.

История о том, как обычный маршрутизатор стал соучастником крупного преступления.

Few technologies have moved from experimentation to boardroom mandate as quickly as AI. Across industries, leadership teams have embraced its broader potential, and boards, investors, and executives are already pushing organizations to adopt it across operational and security functions. Pentera’s AI Security and Exposure Report 2026 reflects that momentum: every CISO surveyed