Aggregator
Сверхновая взорвалась почти 70 лет назад. Её остаток должен был погаснуть. Он не погас — и теперь разгорается заново
Yakit 新功能:Edit Binary 让上传包里的不可见字符可控了
Silver Fox Trojan: China Cracks Down on Cybercrime Cells Across Five Provinces
Chinese police have dismantled several cybercrime cells tied to a new variant of the Silver Fox Trojan. The Ministry of Public Security’s cybersecurity bureau announced the crackdown this week, describing a malware operation that...
The post Silver Fox Trojan: China Cracks Down on Cybercrime Cells Across Five Provinces appeared first on Information Security News.
Oracle June 2026 Critical Security Patch Update Addresses 243 CVEs (CVE-2026-35273)
Oracle addresses 243 CVEs in its June 2026 Critical Security Patch Update with 245 patches, including 122 critical updates.
Key Takeaways- The June 2026 Critical Security Patch Update (CSPU) contains fixes for 243 unique CVEs in 245 security updates
- 122 issues (49.8% of all patches) were assigned a critical severity rating
- Oracle Fusion Middleware received the highest number of patches at 106, accounting for 43.3% of all patches
On June 16, Oracle released its Critical Security Patch Update (CSPU) for June 2026. Beginning in May 2026, Oracle introduced CSPUs as a monthly release cycle that sits between the larger quarterly Critical Patch Updates (CPUs), addressing a focused set of high-severity issues on a faster cadence. This CSPU contains fixes for 243 unique CVEs in 245 security updates across 11 Oracle product families. Out of the 245 security updates published, 49.8% of patches were assigned a critical severity. Critical severity patches accounted for the bulk of security patches at 49.8%, followed by high severity patches at 42.4%.
This month's update includes 122 critical patches across 122 CVEs.
SeverityIssues PatchedCVEsCritical122122High104102Medium1515Low44Total245243AnalysisThis month's update saw the Oracle Fusion Middleware product family contain the highest number of patches at 106, accounting for 43.3% of the total patches, followed by Oracle E-Business Suite at 55 patches, which accounted for 22.4% of the total patches.
A full breakdown of the patches for this CSPU can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Fusion Middleware10653Oracle E-Business Suite556Oracle JD Edwards2012Oracle Enterprise Manager166Oracle Siebel CRM127Oracle PeopleSoft117Oracle Virtualization100Oracle MySQL84Oracle Communications33Oracle Systems31Oracle Supply Chain11Oracle PeopleSoft zero-day exploitedOn June 10, Oracle published an out-of-band Security Alert Advisory for CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools. On June 11, researchers at Google Threat Intelligence Group (GTIG) and Mandiant published a blog post confirming that CVE-2026-35273 was exploited in the wild as a zero-day by the extortion group ShinyHunters (UNC6240). The campaign, which affected over 100 global organizations, primarily impacted organizations within the United States, 68% of which were in the higher education sector. Organizations are advised to apply the available patches as soon as possible.
SolutionCustomers are advised to apply all relevant patches in this CSPU. Please refer to the June 2026 advisory for full details.
Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they're released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information- Oracle Critical Security Patch Update Advisory - June 2026
- Oracle June 2026 Critical Security Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Steam Workshop Flaw Exploited to Distribute Malware via Wallpaper Engine
Even conventional digital distribution ecosystems can morph into potent vectors for infection when user-generated content is capable of executing arbitrary code. Malicious actors have recently exploited the Steam Workshop to proliferate malware disguised as...
The post Steam Workshop Flaw Exploited to Distribute Malware via Wallpaper Engine appeared first on Information Security News.
Microsoft Confirms RoguePlanet Zero-Day in Defender, Patch Under Development
SearchLeak: Microsoft 365 Copilot Flaw Let One Click Leak Enterprise Data
A single link to a trusted Microsoft domain could quietly turn Copilot into a data exfiltration tool. Varonis Threat Labs disclosed this flaw, naming it SearchLeak. The chain let an attacker steal emails, MFA...
The post SearchLeak: Microsoft 365 Copilot Flaw Let One Click Leak Enterprise Data appeared first on Information Security News.
网络安全信息与动态周报2026年第24期(6月8日-6月14日)
【漏洞通告】Linux Kernel net/sched act_pedit 权限提升漏洞(CVE-2026-46331)
CVE-2026-55746 | Cotonti 1.0.0 modules/pfs/inc/pfs.main htmlspecialchars cross site scripting (EUVD-2026-37858)
CVE-2026-12102 | stiofansisland UsersWP Plugin up to 1.2.63 on WordPress User Registration user_id authorization (EUVD-2026-37860)
CVE-2026-12136 | phppoet SysBasics Customize My Account for WooCommerce Plugin Shortcode wcmamtx_get_avatar_default cross site scripting (EUVD-2026-37859)
CVE-2026-12137 | phppoet SysBasics Customize My Account for WooCommerce Plugin Admin Dashboard Page plugin_options_page cross site scripting (EUVD-2026-37861)
CVE-2026-12111 | codepeople Appointment Booking Calendar Plugin up to 1.4.01 on WordPress Query Parameter cpabc_appointments_calendar_load2 ID information disclosure (EUVD-2026-37864)
CVE-2026-11395 | mariovalney CF7 to Webhook Plugin up to 5.0.0 on WordPress Placeholder server-side request forgery (EUVD-2026-37863)
CVE-2026-12098 | blubrry PowerPress Podcasting plugin by Blubrry up to 11.16.8 on WordPress update_post_meta cross site scripting (EUVD-2026-37862)
JetBrains Malicious Plugins Steal Developer API Keys
Development acceleration tools increasingly gain access to our most precious professional secrets. Malicious plugin creators for the JetBrains Marketplace deliberately exploited this profound zone of trust. Recently, a comprehensive report detailed how multiple JetBrains...
The post JetBrains Malicious Plugins Steal Developer API Keys appeared first on Information Security News.
Google Vertex AI Vulnerability Exposed in Python SDK
Cloud machine learning platforms often conceal complex infrastructures behind a few lines of code. Unfortunately, this convenient automation created a dangerous vulnerability within the Google Vertex AI SDK for Python. Specialists from Palo Alto...
The post Google Vertex AI Vulnerability Exposed in Python SDK appeared first on Information Security News.