Aggregator

2026年6月4日，Check Point Research 在发现异常活动迹象后启动调查，确认 CVE-2026-50751 已在野遭到积极利用。该漏洞为远程访问 VPN 和移动访问（Mobile Access）组件中已弃用 IKEv1 密钥交换协议下的身份验证绕过缺陷，CVSS 评分 9.3（Critical）。

Currently trending CVE - Hype Score: 7 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default ...

Currently trending CVE - Hype Score: 7 - Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.  In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able ...

Currently trending CVE - Hype Score: 7 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery ...

Currently trending CVE - Hype Score: 7 - The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.

Currently trending CVE - Hype Score: 7 - Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.

Currently trending CVE - Hype Score: 7 - Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, ...

Currently trending CVE - Hype Score: 7 - In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the ...

Currently trending CVE - Hype Score: 7 - Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy ...

Currently trending CVE - Hype Score: 7 - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the ...

Currently trending CVE - Hype Score: 7 - A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček ...

The Apache Software Foundation released Apache HTTP Server version 2.4.68 on June 8, 2026, addressing 13 security vulnerabilities spanning multiple modules. The patched flaws include use-after-free conditions, cross-site scripting, heap-based buffer overflows, denial-of-service, privilege escalation, and out-of-bounds read issues affecting all versions from 2.4.0 through 2.4.67. Administrators running any prior release are strongly urged to […]

The post Apache HTTP Server 2.4.68 Released With Fix For Use-After-Free, DoS, XSS, and Buffer Overflow Flaws appeared first on Cyber Security News.

原域名已变更且将在2024年彻底废弃，请访问 https://govuln.com/news/ 查看新的RSS订阅

株式会社アルコムが提供するCamViewのインストーラにはDLL読み込みに関する脆弱性が存在します。

An autonomous security agent uncovered 21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. FFmpeg quietly powers media processing across browsers, streaming platforms, surveillance systems, and cloud infrastructure, making it one of the most security-critical open-source libraries. […]

The post 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks appeared first on Cyber Security News.

Even a mundane feedback form can morph into an initial attack vector. This transition occurs when a data handler executes submitted text as code. Specifically, adversaries are actively exploiting a critical vulnerability designated as...

The post Remote Code Execution: Critical Flaw in Everest Forms Pro Enables WordPress Invasions appeared first on Information Security News.

An elderly couple in Antwerp, Belgium, suffered a devastating loss of €50,000. Specifically, an impostor masqueraded as a banking official. He seamlessly manipulated the spouses into transferring their funds to an alleged “secure” account....

The post Judicial Paradigm Shift: Belgian Court Orders Bank to Reimburse Phishing Victims appeared first on Information Security News.

An Application Programming Interface description file might seem like an ordinary technical detail. However, for malicious actors, this file often serves as an elegant map of an external service. The Mechanics of API Exposure...

The post Architectural Blueprints: The Security Risks of Exposed Swagger Specifications appeared first on Information Security News.

A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages. The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising […]

The post New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers appeared first on Cyber Security News.

Cyber-extortionists increasingly eschew complex digital intrusions. Instead, they initiate malicious campaigns through conventional voice dialogues. Fraudsters smoothly convince employees that they are speaking with internal IT personnel. Subsequently, they manipulate targets into submitting authentication...

The post Vocal Deception: The Pink Extortion Syndicate Weaponizes Social Engineering appeared first on Information Security News.