Aggregator

A vulnerability described as critical has been identified in raine consult-llm-mcp up to 2.5.3. Affected by this vulnerability is the function child_process.execSync of the file src/server.ts. The manipulation of the argument git_diff.base_ref/git_diff.files results in os command injection. This vulnerability is identified as CVE-2026-5125. The attack is only possible with local access. Additionally, an exploit exists. Upgrading the affected component is recommended.

好的，我现在需要帮用户总结一篇文章的内容，控制在100字以内。用户提供了文章的标题和一些内容片段，看起来这篇文章是关于Obyte的“无中间人账本”的故事。 首先，我需要确定文章的主要主题。标题提到“无中间人”，这可能是指区块链技术或去中心化账本。接着，内容中提到了Obyte、加密货币、挖矿、投资等关键词，说明这篇文章可能是在讨论区块链技术的应用和优势。 接下来，我要提取关键信息。文章可能介绍了Obyte项目的特点，比如去中心化、无需信任的特性，以及它如何改变传统金融模式。此外，可能还提到了加密货币的趋势和投资机会。 然后，我需要将这些信息浓缩成一个简洁的句子。要确保涵盖主要点：无中间人账本、去中心化、无需信任机制、以及对金融模式的影响。 最后，检查字数是否在限制内，并确保语言流畅自然。 文章探讨了Obyte项目如何通过去中心化账本技术实现无中间人交易，强调其在加密货币和区块链领域的创新应用与潜力。

A vulnerability marked as problematic has been reported in osrg GoBGP up to 4.3.0. Affected is the function BGPHeader.DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP Header Handler. The manipulation leads to improper access controls. This vulnerability is referenced as CVE-2026-5124. Remote exploitation of the attack is possible. No exploit is available. To fix this issue, it is recommended to deploy a patch.

A vulnerability labeled as problematic has been found in osrg GoBGP up to 4.3.0. This impacts the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go. Executing a manipulation of the argument data[1] can lead to off-by-one. The identification of this vulnerability is CVE-2026-5123. The attack may be launched remotely. There is no exploit available. A patch should be applied to remediate this issue.

Submit #780154 / VDB-354157

A vulnerability identified as problematic has been detected in osrg GoBGP up to 4.3.0. This affects the function DecodeFromBytes of the file pkg/packet/bgp/bgp.go of the component BGP OPEN Message Handler. Performing a manipulation of the argument domainNameLen results in improper access controls. This vulnerability was named CVE-2026-5122. The attack may be initiated remotely. There is no available exploit. It is suggested to install a patch to address this issue.

Submit #780189 / VDB-354156

Submit #780179 / VDB-354155

Infinity Stealer targets macOS via fake Cloudflare CAPTCHA, using Nuitka; first such campaign per Malwarebytes. Researchers at Malwarebytes spotted a new macOS infostealer, named Infinity Stealer, using a Python payload compiled with Nuitka. It spreads via ClickFix, tricking users with fake Cloudflare CAPTCHA pages. “A fake verification page instructs the visitor to open Terminal, paste […]

好的，我现在需要帮用户总结一篇关于新macOS恶意软件的文章，控制在100字以内。首先，我得通读整篇文章，抓住关键点。 文章主要讲的是Infinity Stealer，这是一个针对macOS的恶意软件。它通过伪造的Cloudflare验证码页面传播，诱导用户在终端执行命令。这个命令会下载一个Bash脚本，进而加载用Nuitka编译的Python有效载荷。 这个有效载荷会窃取浏览器凭证、Keychain条目、加密钱包信息等，并通过HTTP外发数据。它还能检测分析环境，增加随机延迟以逃避检测。最后，它会通过Telegram通知操作者，并将凭证排队进行服务器端破解。 总结时，我需要涵盖传播方式、技术手段、窃取的数据类型以及防护建议。同时，要确保语言简洁明了，不超过100字。 现在开始组织语言：Infinity Stealer通过伪造Cloudflare验证码诱导用户执行终端命令，下载Bash脚本和Nuitka编译的有效载荷。该载荷窃取多种数据并通过HTTP外传。建议用户避免执行可疑命令，并使用杀毒软件扫描。 新macOS恶意软件Infinity Stealer通过伪造Cloudflare验证码诱骗用户执行终端命令，下载Bash脚本并运行Nuitka编译的有效载荷，窃取浏览器凭证、Keychain数据等信息并通过HTTP外传。建议避免执行可疑命令并使用杀毒软件扫描设备。

A vulnerability categorized as critical has been discovered in WAGO Device Sphere and Solution Builder up to 1.2.1. The impacted element is an unknown function. Such manipulation leads to improper filtering of special elements. This vulnerability is uniquely identified as CVE-2026-2328. The attack can be launched remotely. No exploit exists. It is advisable to upgrade the affected component.

嗯，用户让我帮忙总结一篇文章，控制在100字以内，而且不需要用“文章内容总结”这样的开头。首先，我需要仔细阅读这篇文章，理解它的主要内容和重点。 文章主要讲的是现代家庭开始使用互联网连接的设备，比如摄像头、扬声器、锁和路由器。但是随着技术的发展，智能家庭被入侵的风险也在增加。研究发现，政府提供的网络安全指导大多集中在预防措施上，比如如何保护设备、加强密码、更新固件等，但在遭受攻击后如何恢复的指导非常有限。 特别是法国和新加坡提供了结构化的恢复步骤，但其他国家在这方面做得不够。研究还指出，用户在遭受攻击后往往缺乏实用的指导，只能依靠有限的资源来应对。 接下来，我需要将这些信息浓缩到100字以内。要抓住重点：智能设备普及带来的安全风险、政府指导侧重预防、恢复指导不足以及建议改进的地方。 最后，确保语言简洁明了，直接描述文章内容。 现代家庭采用智能设备增多，但安全风险也随之增加。研究发现政府指导多侧重预防措施，如保护设备和加强密码等，在遭受攻击后的恢复指导有限。法国和新加坡提供结构化恢复步骤，但其他国家缺乏此类支持。研究建议政府应提供更多具体恢复指南以帮助用户应对攻击。

Attackers are now actively exploiting a critical vulnerability in Fortinet's FortiClient EMS platform, according to threat intelligence company Defused. [...]

Submit #780124 / VDB-354154

For many users, engaging with an AI assistant requires opening a dedicated browser tab, which inherently isolates the AI from other browsing activities. While this separation improves privacy, it reduces usefulness and context. To bridge this gap, AI-powered browser extensions have surged in popularity, allowing AI agents to seamlessly interact with emails, corporate portals, and […]

The post New “Prompt Poaching” Attack Steals Users’ AI Conversations via Malicious Browser Extensions appeared first on Cyber Security News.

A vulnerability was found in GNOME libsoup. It has been rated as problematic. The affected element is an unknown function of the component HTTP Proxy Handler. This manipulation causes cleartext transmission of sensitive information. This vulnerability is handled as CVE-2026-5119. The attack can be initiated remotely. There is not any exploit available.

A vulnerability was found in MLflow up to 3.8.1. It has been declared as critical. Impacted is the function _install_model_dependencies_to_env of the component Model Handler. The manipulation results in command injection. This vulnerability is known as CVE-2025-15379. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in tinyproxy up to 1.11.3. It has been classified as problematic. This issue affects the function strtol of the component Chunk Handler. The manipulation leads to integer overflow. This vulnerability is traded as CVE-2026-3945. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

EvilMist is a collection of scripts and utilities designed to support cloud security configuration audit, cloud penetration testing

The post EvilMist: The Ultimate Swiss Army Knife for Azure and Entra ID Red Teaming appeared first on Penetration Testing Tools.

Исследование DLBI охватило 6,6 млрд паролей из утечек — из них 509 млн новых, появившихся в 2025 году.