Aggregator

Submit #787347 / VDB-358037

A vulnerability classified as problematic has been found in arnobt78 Hotel Booking Management System up to f8922d0e0f6ac1cc761974c7616f44c2bbc04bea. The impacted element is an unknown function of the file /api/health/detailed of the component Health Check Endpoint. Performing a manipulation results in information disclosure. This vulnerability is known as CVE-2026-6492. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. It is suggested to use restrictive firewalling. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as problematic has been identified in libvips up to 8.18.2. The affected element is the function im_minpos_vec of the file libvips/deprecated/vips7compat.c of the component nip2 Handler. Such manipulation of the argument n leads to heap-based buffer overflow. This vulnerability is traded as CVE-2026-6491. An attack has to be approached locally. Furthermore, there is an exploit available. The vendor confirms that they will "be removing the deprecated area in libvips 8.19".

Submit #787242 / VDB-358036

好的，用户让我帮忙总结一篇文章，控制在一百个字以内。首先，我需要仔细阅读用户提供的内容。看起来这是一个意大利博客的页面，包含文章链接、新闻和其他资源。用户还提到可以订阅简报，并且提到了使用Google Blogger的管理信息。 接下来，我需要提取关键信息：博客内容、订阅选项、以及使用的技术平台。然后，我要把这些信息浓缩成一句话，确保不超过一百个字，并且不使用“文章内容总结”之类的开头。 可能会这样组织语言：“该博客提供文章链接、新闻和其他资源，并允许用户订阅简报。博客由Google Blogger管理。” 这样既涵盖了主要内容，又符合字数限制。 最后，检查一下是否流畅自然，没有遗漏重要信息。确保总结准确传达原文的核心内容。 该博客提供文章链接、新闻和其他资源，并允许用户订阅简报。博客由Google Blogger管理。

Submit #786994 / VDB-358035

A vulnerability marked as critical has been reported in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. Impacted is an unknown function of the file admin/deletecourse.php of the component GET Request Parameter Handler. This manipulation of the argument ID causes sql injection. This vulnerability appears as CVE-2026-6490. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability labeled as critical has been found in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. This vulnerability is reported as CVE-2026-6489. The attack can be launched remotely. Moreover, an exploit is present. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability identified as critical has been detected in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This vulnerability affects unknown code of the file admin/editcourse.php of the component GET Request Parameter Handler. The manipulation of the argument ID leads to sql injection. This vulnerability is documented as CVE-2026-6488. The attack can be initiated remotely. Additionally, an exploit exists. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

嗯，用户让我总结一下这篇文章的内容，控制在100字以内，而且不需要用“文章内容总结”这样的开头。好的，我先快速浏览一下文章。 文章讲的是一个叫Kamerin Stokes的年轻人，23岁，来自田纳西州的孟菲斯。他因为出售被黑客入侵的DraftKings账户而被判30个月监禁。这些账户是在2022年11月被Nathan Austad和Joseph Garrison通过 credential-stuffing 攻击获取的，总共影响了近6.8万个账户。 然后，Stokes通过自己的“商店”转卖这些账户，从中获利。后来他被逮捕，在保释期间又重新开了店，并用“欺诈很有趣”的标语宣传。最后他再次被捕，并被判刑、赔偿和没收财产。 我需要把这些信息浓缩到100字以内。重点包括：Stokes被判刑的原因、涉及的黑客攻击、金额、以及他的行为。 可能的结构是：Stokes因出售被黑DraftKings账户获刑30个月，涉及6.8万账户，涉案金额超过63万美元。他在保释期间重新开店继续犯罪活动。 检查一下字数是否在限制内，并确保信息准确无误。 23岁的Kamerin Stokes因出售被黑DraftKings账户获刑30个月，涉及近6.8万个账户和超63万美元损失。他通过网络商店转卖这些账户，并在保释期间重新开店继续犯罪活动。

Submit #786912 / VDB-358034

Submit #786981 / VDB-358033

Submit #786925 / VDB-358032

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not

嗯，用户让我用中文帮他总结一下这篇文章，控制在一百个字以内，而且不需要用“文章内容总结”之类的开头，直接写描述。首先，我需要通读整篇文章，理解主要信息。 文章讲的是NIST（美国国家标准与技术研究所）对处理网络安全漏洞和暴露（CVEs）的方式进行了调整。由于CVE提交量激增，他们现在只对满足特定条件的CVE进行丰富处理。这些条件包括CVE是否在CISA的已知被利用漏洞目录中、是否用于联邦政府软件、以及是否属于关键软件等。不满足条件的CVE会被标记为“未计划”，但仍然会列在NVD中。 此外，NIST还更新了其他操作流程，比如不再单独提供严重性评分、修改后的CVE只有在“实质性影响”时才会重新分析等。专家们对此有不同的看法，有人认为这是必要的调整，但也有人担心这会影响依赖NIST数据的组织。 接下来，我需要将这些信息浓缩到100字以内。重点包括：NIST调整处理方式、原因（提交量激增）、优先处理的条件、未计划的标记、其他操作变化以及专家观点。 可能会遗漏一些细节，但要确保主要信息都涵盖进去。最后检查字数是否符合要求，并确保语言简洁明了。 美国国家标准与技术研究所（NIST）宣布将调整其对网络安全漏洞和暴露（CVEs）的处理方式，优先处理高风险CVEs，如已知被利用漏洞、联邦政府软件及关键软件相关漏洞。未满足条件的CVE将被标记为“未计划”，不再自动丰富。此调整旨在应对 CVE 提交量激增带来的挑战，并推动行业转向基于威胁情报的风险管理方法。

好的，我现在需要帮用户总结这篇文章的内容，控制在100字以内。首先，我得仔细阅读文章，抓住主要信息。 文章主要讲的是Google的Gemini广告安全系统如何检测和阻止有害广告。过去一年，恶意广告活动激增，Google移除了超过83亿条广告，并暂停了2500万个广告商账户。 接下来，文章提到Gemini系统现在更注重早期检测，通过分析账户行为、活动模式等信号来评估意图，而不是仅仅依赖关键词过滤。这种方法使系统能够捕获超过99%的违规广告。 另外，骗子越来越多地使用生成式AI制作更具说服力的假广告，这给平台带来了更大的压力。Google通过即时审核和用户举报来应对这一挑战。 政策执行和验证措施也在扩展，比如要求广告商进行身份验证以防止滥用。然而，误判问题依然存在，尽管模型有所改进。 最后，文章指出恶意广告问题依然严重，尤其是金融领域。Google正在努力提升检测速度和准确性，但随着攻击者使用AI技术，检测方法也需要不断进化。 总结一下：Google的Gemini系统通过早期检测、AI审核和严格政策执行来应对日益复杂的恶意广告问题。尽管取得了一些进展，但仍面临挑战。 Google介绍了其Gemini广告安全系统如何检测和阻止有害广告。过去一年中移除了83亿多条恶意广告，并暂停了2500万个广告账户。新系统注重早期识别潜在威胁，并利用AI技术提升审核效率。面对生成式AI带来的新挑战，平台需不断优化检测机制以应对日益复杂的网络诈骗问题。

23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]

A vulnerability categorized as critical has been discovered in unitecms Unlimited Elements for Elementor Plugin up to 2.0.6 on WordPress. This affects the function URLtoRelative/URLToPath of the component Setting Handler. Executing a manipulation of the argument URL can lead to path traversal. This vulnerability is registered as CVE-2026-4659. It is possible to launch the attack remotely. No exploit is available.

A vulnerability was found in essentialplugin Accordion and Accordion Slider Plugin 1.4.6 on WordPress. It has been rated as critical. Affected by this issue is some unknown functionality. Performing a manipulation results in embedded malicious code. This vulnerability is cataloged as CVE-2026-6443. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in flightbycanto Canto Plugin up to 3.1.1 on WordPress. It has been declared as critical. Affected by this vulnerability is the function updateOptions of the file class-canto.php. Such manipulation leads to missing authorization. This vulnerability is listed as CVE-2026-6441. The attack may be performed from remote. There is no available exploit.