Aggregator

Астрологи объявили неделю атак на цепочку поставок.

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

AI 漏洞挖掘开始交付"工程化结果" 从音频解码到工业 CAD，从车端 CAN 帧到企业 Java 中间件——这一次，AI 红队没有靠"灵感"。

Privilege Escalation Vulnerability in VMware Fusion Overview: A Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in a SETUID binary operation within […]

The post Weekly Threat Landscape Digest – Week 20 appeared first on HawkEye.

In Your Biggest Security Risk Isn't Malware — It's What You Already Trust, we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. It looks like administration. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis

OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to

Helping a friend recover a stolen phone, Infoblox researchers uncovered a thriving Telegram-based underground marketplace selling unlocking tools and phishing infrastructure used to monetize stolen iPhones. Activation Lock can remotely disable a stolen iPhone and prevent normal resale, with owners also able to lock individual components. Even with those protections, more than 7.35 million iPhones are reportedly stolen each year in the United States alone. “A locked device is almost worthless on the black market, … More →

The post Thieves unlock stolen iPhones using cheap tools sold on Telegram appeared first on Help Net Security.

A vulnerability labeled as critical has been found in shabti Frontend Admin by DynamiApps Plugin up to 3.28.36 on WordPress. The affected element is the function feadmin_get_user_roles of the file wp-admin/post.php of the component Configuration Handler. Executing a manipulation of the argument role can lead to improper privilege management. This vulnerability is registered as CVE-2026-6228. It is possible to launch the attack remotely. No exploit is available.

A vulnerability described as critical has been identified in smartcatai Smartcat Translator for WPML Plugin up to 3.1.77 on WordPress. This affects an unknown function of the component Translation Service. The manipulation results in missing authorization. This vulnerability is reported as CVE-2026-4683. The attack can be launched remotely. No exploit exists.

A vulnerability classified as critical was found in webaways NEX-Forms Plugin up to 9.1.12 on WordPress. Affected is an unknown function. Such manipulation of the argument table leads to sql injection. This vulnerability is traded as CVE-2026-7046. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in justinkruit Advanced Custom Fields Plugin up to 5.0.2 on WordPress and classified as problematic. This vulnerability affects the function update_preview. The manipulation results in cross site scripting. This vulnerability was named CVE-2026-6415. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in pektsekye Notify Odoo Plugin up to 1.0.1 on WordPress. It has been classified as problematic. This issue affects the function _updateSettings of the component Setting Handler. This manipulation causes cross-site request forgery. The identification of this vulnerability is CVE-2026-8425. It is possible to initiate the attack remotely. There is no exploit available.

Новый стилер крадёт файлы, пароли и данные Telegram.

最大计算机科学预印本平台 arXiv 在 ChatGPT 普及之后论文投稿数量大幅增长，为了遏制低质量的 AI 生成论文，ArXiv 计算机科学委员会主席 Thomas G. Dietterich 在社交媒体上强调，ArXiv 的行为准则规定，每位作者一旦署名成为论文作者，即对其所有内容承担全部责任，无论这些内容是如何产生的。如果生成式 AI 工具生成了不恰当语言表达、抄袭的内容、有偏见的内容、错误、不正确的引用或误导性内容，且该输出被包含在论文中，则责任在于作者。如果提交的预印本包含有无可辩驳的证据表明作者没有检查大模型生成结果，那么论文中的任何内容都不再让人相信。对于发现存在此类问题的署名作者，他们面临的处罚是禁止在 arXiv 上发表论文一年，之后如果要在 arXiv 上发表论文则必须先被信誉良好的同行评审期刊接受。

ESET uncovered new Ghostwriter (aka FrostyNeighbor) activity targeting Ukrainian government organizations in a campaign active since March 2026. ESET researchers published a new report documenting fresh activity attributed to the APT group FrostyNeighbor, aka Ghostwriter, active since at least March 2026, targeting Ukrainian governmental organizations. The campaign is similar to previous FrostyNeighbor’s campaigns. The threat […]

Hackers are exploiting Outlook calendar invites and device code phishing to steal M365 session tokens, bypass MFA and breach enterprise accounts.

Linux内核（Linux Kernel）是一个开源的操作系统内核，它是Linux操作系统的核心组件，负责管理计算机的硬件资源，并提供了许多系统服务，如进程管理、内存管理、文件系统管理和设备驱动程序等。

2026年5月14日，深瞳漏洞实验室监测到一则Nginx组件存在缓冲区溢出漏洞的信息，漏洞编号：CVE-2026-42945，漏洞威胁等级：高危。

2026年5月15日，深瞳漏洞实验室监测到一则Palo Alto Networks PAN-OS组件存在绕过认证漏洞的信息，漏洞编号：CVE-2026-0265，漏洞威胁等级：高危。