Aggregator

A vulnerability labeled as critical has been found in Oracle Java SE, GraalVM for JDK and GraalVM Enterprise Edition. Affected is an unknown function. Such manipulation leads to Remote Code Execution. This vulnerability is traded as CVE-2026-21933. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in Oracle Java SE, GraalVM for JDK and GraalVM Enterprise Edition. It has been rated as critical. The impacted element is an unknown function of the component RMI. The manipulation leads to improper authentication. This vulnerability is documented as CVE-2026-21925. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

GLP-1 减肥药如 Ozempic 正在重塑食品行业，改变了数百万人的生活。它还给航空公司带来了意想不到的好处：降低燃油成本，因为乘客体重的下降也降低了飞机的载重。根据 Jefferies 的一项研究，受益于 GLP-1 减肥药，美国四大航空公司——美国航空、达美航空、西南航空和联合航空——每年可节省高达 5.8 亿美元的燃油成本。根据健康研究组织 KFF 去年 11 月发布的调查，八分之一美国成年人表示在服用 GLP-1。燃油是航空公司最大的支出之一。乘客体重下降带来的燃油成本节省占总成本的 1.5%。投资者也可能从中受益：研究人员估计，飞机重量减轻 2% 可使每股收益提高约 4%。

HackerNews 编译，转载请注明出处：  苹果核心合作代工厂立讯精密，负责苹果手机、耳机、手表及头显设备的组装业务，据称已遭遇某勒索软件犯罪集团发起的网络攻击。黑客威胁，若立讯精密拒绝支付赎金，就将外泄苹果、英伟达及 LG等企业的机密数据。 据称，立讯精密的数据泄露事件发生于上月，黑客声称在2025年12月15日就已将这家苹果核心合作伙伴的相关数据加密。此次攻击的疑似发起者 —— 黑客组织RansomHub，已在其暗网论坛上公开了这起数据泄露事件。 立讯精密是苹果公司的重要合作伙伴。包括iPhone、AirPods、Apple Watch在内的多款苹果产品均由立讯精密负责组装，这意味着该公司掌握着苹果产品大量核心机密信息。 黑客在暗网中宣称：“我们已经等了贵公司很久，但贵公司的信息技术部门似乎打算隐瞒这场安全事故。我们强烈建议贵公司尽快与我们取得联系，以免贵公司的机密数据和项目文件遭到外泄。” 黑客发布立讯精密数据泄露声明的截图图片 图源：Cybernews 立讯精密数据泄露事件泄露了哪些信息？ Cybernews 的研究团队对黑客在帖文中附带的数据样本展开了调查分析。 该团队证实，泄露数据中包含苹果与立讯精密合作的设备维修及物流运输等机密项目的详细信息，涵盖项目时间规划、具体流程，以及立讯精密其他客户的相关资料。 此外，泄露信息中还包含参与特定项目的员工个人身份信息，涉及员工姓名、职位及工作邮箱等敏感内容。 苹果与立讯精密合作项目的疑似机密信息截图图片 图源：Cybernews 网站 研究团队进一步解释道：“这些项目的时间跨度从2019 年至2025年，相关信息涉及企业高度敏感的商业运营内容。此外，数据中还包含 .dwg和Gerber文件，这些文件通常用于创建产品模型设计。” 尽管立讯精密的数据泄露事件尚未得到官方证实，但研究团队认为，黑客在帖文中公布的信息真实性较高。 参与苹果项目的立讯精密员工疑似信息截图 图源：Cybernews 攻击者声称掌握的数据内容 RansomHub声称其已广泛访问立讯精密客户的机密数据，被盗数据涵盖从3D产品模型到电路板设计资料，这些都是企业间谍高度觊觎的信息。 据攻击者称，他们掌握的档案包括： 机密3D CAD产品模型、3D工程设计数据与工程文档 Parasolid产品的高精度几何数据 用于制造的2D组件图纸 机械部件图纸 PDF格式的机密工程图 电子设计文档 电气与布局架构数据 印刷电路板制造数据 攻击者宣称：“这些档案包含来自 苹果、英伟达，以及 LG、吉利、特斯拉等多家大型公司的数据，这些公司的生产和研发信息均受保密协议保护。” 一旦此事得到证实，这场攻击对立讯精密及其合作企业而言，都将是一场灾难。 一方面，黑客可能将窃取的数据出售给竞争对手，后者可借助这些资料反向研发产品，省去数年的研发投入，甚至制造仿冒产品。 另一方面，此次事件还将引发严重的网络安全隐患。黑客可通过这些数据精准找出设备的硬件漏洞、芯片位置及供电系统信息，进而针对性地攻击设备固件，或发起供应链攻击。 消息来源：cybernews； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in theupdateframework go-tuf up to 2.3.0. It has been declared as problematic. This affects an unknown part. Such manipulation leads to improper verification of cryptographic signature. This vulnerability is listed as CVE-2026-23992. The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability was found in appsmithorg appsmith up to 1.94. It has been classified as critical. Affected by this issue is some unknown functionality of the file /api/v1/actions/execute. This manipulation causes missing authorization. This vulnerability is tracked as CVE-2026-24042. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability was found in horilla-opensource horilla up to 1.4.x and classified as critical. Affected by this vulnerability is an unknown functionality of the component Approval Endpoint. The manipulation results in improper access controls. This vulnerability is identified as CVE-2026-24039. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability has been found in horilla-opensource horilla up to 1.4.x and classified as critical. Affected is an unknown function of the file /recruitment/recruitment-details/ of the component Job Posting Handler. The manipulation leads to improper access controls. This vulnerability is referenced as CVE-2026-24036. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Mastodon up to 4.3.17/4.4.11/4.5.4. This impacts an unknown function of the component Web Push Subscription Update Endpoint. Executing a manipulation can lead to incorrect authorization. The identification of this vulnerability is CVE-2026-23964. The attack may be launched remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Altium Designer up to 25.1. This affects an unknown function. Performing a manipulation results in improper certificate validation. This vulnerability was named CVE-2025-27377. The attack may be initiated remotely. There is no available exploit.

A vulnerability classified as critical was found in Langfuse up to 3.146.x. The impacted element is an unknown function of the file /api/public/slack/install of the component Slack. Such manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2026-24055. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability classified as problematic has been found in Mastodon up to 4.3.17/4.4.11/4.5.4. The affected element is an unknown function. This manipulation causes incorrect authorization. This vulnerability is handled as CVE-2026-23961. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability described as critical has been identified in horilla-opensource horilla up to 1.4.x. Impacted is an unknown function of the component OTP Handler. The manipulation results in improper authentication. This vulnerability is known as CVE-2026-24038. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is recommended.

A vulnerability marked as problematic has been reported in CoreShop up to 4.1.8. This issue affects the function CustomerTransformerController of the component Admin Panel. The manipulation leads to sql injection hibernate. This vulnerability is traded as CVE-2026-23959. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in horilla-opensource horilla up to 1.4.x. This vulnerability affects unknown code. Executing a manipulation of the argument employee_id can lead to improper access controls. This vulnerability appears as CVE-2026-24035. The attack may be performed from remote. There is no available exploit. The affected component should be upgraded.

A vulnerability identified as problematic has been detected in Mastodon up to 4.3.17/4.4.11/4.5.4. This affects an unknown part of the component Poll Option Handler. Performing a manipulation results in allocation of resources. This vulnerability is reported as CVE-2026-23962. The attack is possible to be carried out remotely. No exploit exists. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in openCryptoki 2.3.2 on Linux/AIX. Affected by this issue is some unknown functionality. Such manipulation leads to link following. This vulnerability is documented as CVE-2026-23893. The attack needs to be performed locally. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in gristlabs grist-core up to 1.7.8. It has been rated as problematic. Affected by this vulnerability is an unknown functionality. This manipulation of the argument GRIST_SANDBOX_FLAVOR causes injection. This vulnerability is registered as CVE-2026-24002. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

A vulnerability was found in pypa wheel up to 0.46.1. It has been declared as critical. Affected is an unknown function of the component File Handler. The manipulation results in path traversal. This vulnerability is cataloged as CVE-2026-24049. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.