Aggregator

A vulnerability, which was classified as critical, was found in OpenCart 4.1.0.3. This affects an unknown part of the file installer.php of the component Extension Installer Page. Executing a manipulation can lead to path traversal. The identification of this vulnerability is CVE-2026-5331. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in SourceCodester/mayuri_k Best Courier Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=delete_user of the component User Delete Handler. Performing a manipulation of the argument ID results in improper access controls. This vulnerability was named CVE-2026-5330. The attack may be initiated remotely. In addition, an exploit is available.

Submit #780814 / VDB-354665

Submit #780734 / VDB-354664

Google links the Axios npm supply chain attack to North Korean threat group UNC1069, targeting financial gain. Google has attributed the recent Axios npm supply chain compromise to a North Korean threat group tracked as UNC1069. The attack, aimed at financial gain, exploited the package to target developers and organizations relying on Axios. John Hultquist […]

Gitdwn靶机贴近真实生产环境，融合了多种常见的安全漏洞与配置隐患，涵盖前端加密逻辑、XML外部实体（XXE）、内网服务暴露、Git版本控制信息泄露等多个核心考点，既考验渗透测试人员的基础操作能力（如端口扫描、目录枚举、密码爆破），也要求具备一定的代码逆向、漏洞组合利用与细节挖掘思维。

A vulnerability classified as problematic was found in VertiGIS FM up to 10.13.402. Affected by this vulnerability is an unknown functionality. Such manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-3877. The attack can be launched remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability classified as critical has been found in VertiGIS FM up to 10.11.362. Affected is an unknown function. This manipulation causes externally controlled reference. This vulnerability is handled as CVE-2026-0522. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in Corosync. This impacts an unknown function of the component UDP Packet Handler. The manipulation results in integer overflow. This vulnerability is known as CVE-2026-35092. It is possible to launch the attack remotely. No exploit is available.

A vulnerability marked as critical has been reported in Corosync. This affects an unknown function of the component UDP Packet Handler. The manipulation leads to incorrect check of function return value. This vulnerability is traded as CVE-2026-35091. It is possible to initiate the attack remotely. There is no exploit available. To fix this issue, it is recommended to deploy a patch.

A vulnerability labeled as critical has been found in shsuishang modulithshop up to 829bac71f507e84684c782b9b062b8bf3b5585d6. The impacted element is the function listItem of the file src/main/java/com/suisung/shopsuite/pt/service/impl/ProductIndexServiceImpl.java of the component ProductItemDao Interface. Executing a manipulation of the argument sidx/sort can lead to sql injection. This vulnerability appears as CVE-2026-5328. The attack may be performed from remote. In addition, an exploit is available. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. A patch should be applied to remediate this issue.

漏洞来源一个评分十分的严重漏洞漏洞描述SandboxJS 是一个 JavaScript 沙箱库。在 0.8.34 版本之前，可以获取包含 Function 数组，从而导致沙箱逃逸。如果拥有包含 Function 的数组和 Object.fromEntries，就可以构造 {[p]: Function}，其中 p 是任何可构造的属。此漏洞已在 0.8.34 版本中修复漏洞原理CVE-2026-269

Venom Stealer malware-as-a-service automates ClickFix social engineering, credential and crypto exfiltration

Submit #780789 / VDB-354659

Submit #780776 / VDB-354658

Exabeam has announced the expansion of Exabeam Agent Behavior Analytics (ABA). Without direct visibility into how employees use AI assistants, what they query, what data they share, how frequently they interact, and from where, organizations cannot establish a baseline for normal AI behavior, investigate potential misuse, or detect emerging agentic insider threats. New support to detect agent behavior in OpenAI ChatGPT and Microsoft Copilot, alongside existing visibility into Google Gemini, transforms these agentic services into … More →

The post Exabeam expands ABA to detect AI agent threats across ChatGPT, Copilot, and Gemini appeared first on Help Net Security.

Submit #780773 / VDB-354657

Submit #780766 / VDB-354656

随着 Claude Code 的普及，大量用户选择通过第三方中转站（API Proxy）来使用 Claude 模型。然而，中转站作为用户与官方 API 之间的中间层，天然具备篡改请求和响应的能力。本文将从上下文空间异常、模型造假、提示词投毒三个维度，揭示中转站可能存在的安全风险，并给出对应的检测方法。

Submit #780752 / VDB-354655