Aggregator

Исправить положение дел быстро не выйдет, и на это есть причины.

Submit #808040 / VDB-361841

Submit #808039 / VDB-361840

Submit #808038 / VDB-361839

A vulnerability was found in OSGeo gdal up to 3.13.0dev-4. It has been rated as problematic. This vulnerability affects the function memmove of the file frmts/hdf4/hdf-eos/SWapi.c of the component HDF-EOS Grid File Handler. This manipulation causes out-of-bounds read. This vulnerability is tracked as CVE-2026-8084. The attack is restricted to local execution. Moreover, an exploit is present. Upgrading the affected component is advised.

Submit #808034 / VDB-361838

A vulnerability was found in SourceCodester Pharmacy Sales and Inventory System 1.0. It has been declared as critical. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation of the argument ID results in sql injection. This vulnerability is identified as CVE-2026-8083. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in router-for-me CLIProxyAPI 6.9.29. It has been classified as critical. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API Interface. The manipulation of the argument url leads to server-side request forgery. This vulnerability is referenced as CVE-2026-8081. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #807848 / VDB-361837

Submit #807811 / VDB-361836

A 20-year-old California man was sentenced to 78 months in prison for serving as a home invader and money launderer in a criminal ring that stole over $250 million in cryptocurrency. [...]

Stop pausing your SOC. Learn how LetsDefend and HTB turn downtime into high-impact learning for continuous readiness without sacrificing operational coverage.

Ни один тренинг по кибербезопасности не учит, что делать, когда письмо выглядит как реальный разнос от начальства.

Modern attacks don't stop at initial compromise. This webinar explores why security and recovery must work together to reduce downtime and improve resilience. [...]

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability 

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Cybersecurity researcher Alexander Hanff claims that Google Chrome automatically installs a 4GB Gemini Nano AI model without user notification or consent.

银狐木马变种借仿冒Hello GPT翻译器网站投毒，采用“近白利用”（篡改合法签名程序）与“非PE载荷”技术，通过MFC消息回调劫持执行流，最终注入系统进程实现驻留与远程控制。

A vulnerability was found in Free5GC and classified as problematic. Affected by this vulnerability is an unknown functionality of the file internal/sbi/api_subscriberdatamanagement.go of the component Error Message Handler. Executing a manipulation can lead to information disclosure. The identification of this vulnerability is CVE-2026-42459. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in gotenberg 8.1.0/8.31.0 and classified as critical. Affected is the function downloadFrom/webhook. Performing a manipulation results in server-side request forgery. This vulnerability was named CVE-2026-42596. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

A vulnerability, which was classified as problematic, was found in vm2 up to 3.10.5. This impacts an unknown function. Such manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2026-44001. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.