Aggregator

今日暂未更新资讯~
更多最新文章，请访问SecWiki

本次内容发布原因，仅限于安全风险事项告知，仅针对同类设备存在的风险隐患作出预警提示，旨在提醒相关部门提前做好安全设防与风险管控，本内容无任何不良引导，请勿擅自模仿相关操作。 这个项目在2026年初突然火起来，很多人称它为96美元的3D打印防空导弹。 它本质上是一个极低成本的实验性制导火箭平台，展示了消费级电子+3D打印在业余/半专业制导武器原型上的潜力。 当然，实际飞行稳定性和制导精度距离真正的军用MANPADS（如毒刺、针式）还有非常非常远的距离，但作为DIY/黑客项目已经非常震撼了。 一句话评价： “用不到100美元的零件，让爱好者第一次在家里造出了带简易惯性+轨道修正的火箭原型，这件事本身就挺科幻的。”，重点：轨道修正，可见倒数几张图。 仓库包含对低成本火箭、业余制导、ESP32嵌入式开发、3D打印武器化结构的研究。 https://github.com/novatic14/MANPADS-System-Launcher-and-Rocket 火箭部分： 采用折叠尾翼 + 前翼（canard）稳定布局 搭载 ESP32 作为飞行计算机 使用 MPU6050 IMU（惯性测量单元，成本很低，大概几美元） 支持空中实时轨迹修正（recalculates mid-air trajectory） 3D打印结构件 发射器部分： 集成 GPS、电子罗盘、气压计等传感器 用于提供方位、姿态和遥测数据 设计与仿真工具： 机械结构全部用 Fusion 360 设计 用 OpenRocket 做过火箭飞行仿真（业余火箭爱好者常用软件） 成本控制： 整个硬件BOM（物料清单）控制在约96美元内，非常夸张的低成本 仓库内容概览 CAD Files/：火箭 + 发射器的完整机械设计文件（Fusion 360格式） Firmware/：火箭飞行控制器 + 发射器固件源代码（基于ESP32） Simulation/：OpenRocket 的仿真文件 README 里有：30秒项目概览、规格参数、BOM成本明细等 最后一张图为效果图。

A vulnerability was found in myAEDES App up to 1.18.4 on Android. It has been rated as problematic. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTH_KEY results in information disclosure. This vulnerability is identified as CVE-2026-4218. The attack is only possible with local access. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in XREAL Nebula App up to 3.2.1 on Android. It has been declared as problematic. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument accessKey/secretAccessKey/securityToken leads to key management error. This vulnerability is referenced as CVE-2026-4217. The attack can only be performed from a local environment. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #770509 / VDB-351142

A vulnerability was found in i-SENS SmartLog App up to 2.6.8 on Android. It has been classified as critical. This affects an unknown function of the component air.SmartLog.android. This manipulation causes hard-coded credentials. The identification of this vulnerability is CVE-2026-4216. The attack can only be executed locally. Furthermore, there is an exploit available. The vendor explains: "The function referenced in the report currently exists in our deployed system. It is related to a developer mode used during the configuration process for Bluetooth pairing between the blood glucose meter and the SmartLog application. This function is intended for configuration purposes related to device integration and testing. (...) [I]n a future application update, we plan to review measures to either remove the developer mode function or restrict access to it."

Submit #770503 / VDB-351141

Submit #770497 / VDB-351140

A vulnerability was found in FlowCI flow-core-x up to 1.23.01 and classified as critical. The impacted element is the function Save of the file core/src/main/java/com/flowci/core/config/service/ConfigServiceImpl.java of the component SMTP Host Handler. The manipulation results in server-side request forgery. This vulnerability was named CVE-2026-4215. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #770491 / VDB-351139

Lloyds Banking Group has launched an internal investigation after a technical error in its mobile banking applications allowed some customers to briefly see other users’ transaction details. The incident affected the mobile apps of several brands operated by the group, including Lloyds Bank, Halifax, and Bank of Scotland. According to the bank, the issue arose […]

The post Lloyds Banking Group Investigates Mobile App Data Exposure Affecting Multiple UK Banks appeared first on Centraleyes.

The post Lloyds Banking Group Investigates Mobile App Data Exposure Affecting Multiple UK Banks appeared first on Security Boulevard.

Presenter: Rik Farrow

Our thanks to USENIX Security '25 (Enigma Track) (USENIX '25 for publishing their Creators, Authors and Presenter’s tremendous USENIX Security '25 (Enigma Track) (USENIX '25 content on the Organizations' YouTube Channel.

Permalink

The post USENIX Security ’25 (Enigma Track) – Usernames, Passwords And Security appeared first on Security Boulevard.

The Payload Ransomware group claims to have breached the Royal Bahrain Hospital (RBH), a leading healthcare facility in Bahrain. The Payload Ransomware group claims to have hacked the Royal Bahrain Hospital (RBH) and stolen 110 GB of data. The ransomware gang added the healthcare facility to its Tor data leak site and published the images […]

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter New BoryptGrab Stealer Targets Windows Users via Deceptive GitHub Pages Inside Coruna: Reverse Engineering a Nation-State iOS Exploit Kit From JavaScript  ClipXDaemon: Autonomous X11 Clipboard Hijacker Delivered via Bincrypter-Based Loader New A0Backdoor Linked to […]

A new open-source tool called Betterleaks can scan directories, files, and git repositories and identify valid secrets using default or customized rules. [...]

A vulnerability has been found in Tuya arduino-TuyaOpen up to 1.2.0 and classified as problematic. The affected element is an unknown function of the component WiFiUDP. The manipulation leads to null pointer dereference. This vulnerability is uniquely identified as CVE-2026-28522. The attack can only be initiated within the local network. No exploit exists. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Tuya arduino-TuyaOpen up to 1.2.0. Impacted is an unknown function of the component WiFiMulti. Executing a manipulation can lead to off-by-one. This vulnerability is handled as CVE-2026-28520. It is possible to launch the attack on the local host. There is not any exploit available. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Tuya arduino-TuyaOpen up to 1.2.0. This issue affects some unknown processing of the component TuyaIoT. Performing a manipulation results in out-of-bounds read. This vulnerability is known as CVE-2026-28521. Attacking locally is a requirement. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability classified as problematic was found in ZKTeco ZKBioSecurity 3.0.1.0_R_230. This vulnerability affects unknown code. Such manipulation leads to cross site scripting. This vulnerability is traded as CVE-2016-20027. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as critical has been found in Tuya arduino-TuyaOpen up to 1.2.0. This affects an unknown part of the component DnsServer. This manipulation causes heap-based buffer overflow. This vulnerability appears as CVE-2026-28519. The attacker needs to be present on the local network. There is no available exploit. It is recommended to upgrade the affected component.