Aggregator

A vulnerability has been found in OpenBMB XAgent up to 1.0.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /conv/community. The manipulation leads to path traversal. This vulnerability is known as CVE-2025-6281. The attack needs to be approached within the local network. Furthermore, there is an exploit available.

A vulnerability was found in WP-FeedStats tarteaucitron.io Plugin up to 1.9.4 on WordPress. It has been rated as problematic. This issue affects some unknown processing of the component Query Parameter Handler. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-4955. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Пока вы ждёте созвона, чужие руки копаются в ваших файлах.

Linux 新闻网站 Phoronix 在一台配备了 AMD Ryzen 9 9950X 的 Ubuntu Linux 系统上测试了 Firefox 120 到 Firefox 141 Beta 的性能。Firefox 差不多一个月发布一个新版本，Firefox 120 是在 2023 年 11 月发布的，而 Firefox 最新正式版本是 Firefox 140，141 还是 Beta 状态。结果显示，Firefox 141 Beta 平均比 Firefox 120 快约 12%，内存占用也更低。Mozilla 还是在努力改进浏览器的。

Google has once again drawn the attention of cybersecurity experts following its implementation of a new user data protection mechanism in the Chrome browser—AppBound Cookie Encryption. Although the initiative reflects an ambitious stride toward...

The post Chrome Cookie Encryption Bypassed: “C4 Attack” Exploits Padding Oracle to Steal Cookies appeared first on Penetration Testing Tools.

GitPhish is an open-source security research tool built to replicate GitHub’s device code authentication flow. It features three core operating modes: an authentication server, automated landing page deployment, and an administrative management interface. GitPhish can be accessed via a command-line interface or a web dashboard, offering comprehensive features such as logging, analytics, and token management. “We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in … More →

The post GitPhish: Open-source GitHub device code flow security assessment tool appeared first on Help Net Security.

StealthCores launched StealthMACsec, a comprehensive IEEE 802.1AE compliant MACsec engine that brings advanced side-channel countermeasures to Ethernet network security. Building on the proven security foundation of StealthAES, StealthMACsec delivers line-rate processing up to 10 Gbps on FPGA and even faster on ASIC while maintaining the highest levels of protection against sophisticated attacks. As Ethernet networks become increasingly critical to defense, industrial, and embedded systems, the need for link-layer security has never been greater. StealthMACsec addresses … More →

The post StealthMACsec strengthens Ethernet network security appeared first on Help Net Security.

生成式AI不是取代网络安全分析师的“银弹”

Каждая инструкция звучит убедительно, пока жертва не сталкивается с последствиями.

外设制造商称，任天堂使用新的加密方案有意锁定了 Switch 2 的 USB-C 端口，阻止第三方扩展坞和外设与之兼容。因抢先推出 Steam Deck 扩展坞而名声大振的 Jsaux 表示，因任天堂的行动该公司暂停了制造 Switch 2 扩展坞的计划。

A vulnerability, which was classified as problematic, was found in ThickBox JavaScript Library Plugin up to 3.1 on WordPress. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-2537. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in prettyPhoto Library Plugin up to 3.1.6. This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2025-2540. The attack may be initiated remotely. There is no exploit available.

A vulnerability classified as problematic was found in Magnific Popups Library Plugin up to 1.1.0. This vulnerability affects unknown code. The manipulation leads to cross site scripting. This vulnerability was named CVE-2024-5647. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Migration, Backup, Staging Plugin up to 0.9.116 on WordPress. This affects the function wpvivid_upload_import_files. The manipulation leads to unrestricted upload. This vulnerability is uniquely identified as CVE-2025-5961. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in JKDEVKIT Plugin up to 1.9.4 on WordPress. It has been rated as problematic. Affected by this issue is the function font_upload_handler. The manipulation leads to denial of service. This vulnerability is handled as CVE-2025-2932. The attack may be launched remotely. There is no exploit available.

In this Help Net Security interview, Henry Jiang, CISO at Ensora Health, discusses what it really takes to make DevSecOps work in healthcare. He explains how balancing speed and security isn’t easy and why aligning with regulations is key. Jiang also shares tips on working with engineering teams and how automation helps in DevSecOps. In a heavily regulated industry like healthcare, what specific challenges do CISOs encounter when integrating security into DevOps workflows? In healthcare, … More →

The post Healthcare CISOs must secure more than what’s regulated appeared first on Help Net Security.

在数字经济高速发展的今天，互联网行业的安全需求正在发生深刻变革。随着业务形态向云端迁移、数据要素价值凸显、新型交互模式涌现，行业面临着APT攻击精准化、数据泄露规模化、业务欺诈智能化等新型威胁。安全防护的重心已从基础设施保护，转向数据资产全生命周期管理和业务风险动态管控。 嘶吼安全产业研究院基于《2025网络安全产业图谱》调研，通过对400+典型解决方案与案例的深度分析，从需求匹配度、实践成效、创新技术、应用价值等多维度展开综合评估。 调研分析发现，互联网行业安全建设呈现新趋势。防护理念升级：从单点防御到构建覆盖研发、运营、风控的全流程安全体系，实现安全能力与业务发展的同步规划。技术架构演进：云原生安全、隐私增强计算、智能风控引擎等技术正在重塑互联网安全防护体系。运营模式创新：自动化安全运维、威胁情报共享、红蓝对抗常态化等实践显著提升安全运营效率。 基于这些发现，我们将重点展示几个具有代表性的互联网行业优秀安全解决方案，为互联网行业的安全建设提供可借鉴的实践经验。 PS：解决方案展示排名不分先后，按企业简称首字母排序。 往期回顾： 2025中国网络安全「政务行业」优秀解决方案汇编 2025中国网络安全「金融行业」优秀解决方案汇编 2025中国网络安全「能源行业」优秀解决方案汇编 2025中国网络安全「制造行业」优秀解决方案汇编 2025中国网络安全「电力（水利）行业」优秀解决方案汇编

当前环境出现异常状态，需完成验证操作后方能继续访问服务。

在 GPLv3 发布 18 年、GPLv2 发布 34 年之际，已经停滞很久的 Copyleft-next 项目宣布重新启动。该项目旨在开发下一代 Copyleft 许可证。项目发起人表示 FOSS 需要新方法强化 copyleft。Richard Fontana 和 Bradley Kuhn 担任项目的联合主编，他们都参与过 Drafting Committees of GPLv3，从中汲取了很多教训，Software Freedom Conservancy(SFC)将为该项目提供资源并托管该项目。

СICADA8 запускает платформу нового поколения для контроля безопасности компонентов разработки.