Aggregator

过去几个月惠普笔记本电脑用户通过论坛等报告在更新 BIOS 之后设备出现了问题，包括设备无法启动、风扇噪音异常以及蓝屏死机等等。一名移动工作站 ZBook Ultra G1a 的用户称更新 BIOS 之后设备在启动过程中卡住。受影响的产品包括 ZBook Ultra G1a，存在问题的 BIOS 版本号 01.04.03 和 01.04.05；EliteBook X G1a，存在问题的 BIOS 版本号 01.03.11 和 01.05.00。惠普表示它正对此展开调查，建议受影响的用户联系其技术支持团队。这不是第一次惠普设备因为存在问题的 BIOS 更新而导致设备故障。

A vulnerability was found in OutSystems Lifetime. It has been rated as problematic. Impacted is an unknown function. This manipulation causes authorization bypass. This vulnerability is handled as CVE-2026-40127. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability was found in Apache Airflow FAB provider up to 3.6.3. It has been declared as critical. This issue affects some unknown processing. The manipulation results in ldap injection. This vulnerability is known as CVE-2026-46745. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

俄罗斯政府已推迟对使用 VPN 的移动互联网用户收费的计划。俄罗斯数字发展部在三月表示将打击 VPN 的使用。它最初要求移动网络运营商从 5 月 1 日起对每月国际数据流量超 15GB 的用户收费。但由于追踪 VPN 使用和计费方面存在困难，该期限已推迟至 6 月 1 日。该收费计划可能会再次被推迟，可能会在 9 月底国家杜马和地方选举之后实施。原因是一个功能完整的国际流量支付系统需要三到四个月才能建成。在这项政策推行前，俄罗斯的移动互联网频繁发生中断事件。

烧 token 在 YC 的语境里不是支出，是替代。

Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the

Раскрыта китайская кампания кибершпионажа, которая продолжается с 2019 года.

根据 PNAS 期刊上的一项研究，政治情绪的生理反应和日常经历的普通情绪不同。研究人员邀请近 1000 名美国参与者使用名为 emBODY 的身体映射工具，绘制出感受到的普通情绪和政治情绪的身体部位。研究发现，政治情绪有着独特的身体反应模式。举例来说，政治抑郁会引发身体更广泛、更强烈的感受，而非普通抑郁的麻木感。这意味着政治绝望会激励人行动而不是对一切漠然。政治厌恶感与普通厌恶感也不同。病原体引起的厌恶感如呕吐反应会在胃部和喉咙强烈感受到，而政治厌恶感则更像是愤怒。这意味着政治将厌恶感转化为一种更具道德感和愤怒感的情绪，改变了对政治厌恶感的思考方式。研究还发现不同意识形态的人体验的政治情绪存在差异。倾向于民主党的参与者相比倾向共和党的参与者，对愤怒、焦虑、抑郁和厌恶等负面政治情绪的身体感受更为强烈。

Name: DEF CON CTF Qualifier 2026 (an DEF CON CTF Qualifier event.)
Date: May 22, 2026, 9 p.m. — 24 May 2026, 21:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://bbbirds.org/
Rating weight: 63.22
Event organizers: Benevolent Bureau of Birds

A vulnerability was found in Edimax BR-6478AC 1.23. It has been rated as critical. Affected by this issue is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. Performing a manipulation of the argument rootAPmac results in command injection. This vulnerability is identified as CVE-2026-9441. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability categorized as critical has been discovered in Edimax BR-6478AC 1.23. This affects the function formiNICSiteSurvey of the file /goform/formiNICSiteSurvey of the component POST Request Handler. Executing a manipulation of the argument selSSID can lead to buffer overflow. This vulnerability is tracked as CVE-2026-9442. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability identified as critical has been detected in Edimax BR-6478AC 1.23. This vulnerability affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. The manipulation of the argument L2TPUserName leads to buffer overflow. This vulnerability is listed as CVE-2026-9443. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in rust-lang Cargo up to 1.95.x and classified as problematic. This affects an unknown part. Executing a manipulation can lead to use of non-canonical url paths for authorization decisions. This vulnerability appears as CVE-2026-5222. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in SourceCodester Simple POS and Inventory System 1.0. This issue affects the function delete of the file /admin/deleteproduct.php of the component GET Parameter Handler. The manipulation of the argument ID results in sql injection. This vulnerability is cataloged as CVE-2026-9444. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability marked as critical has been reported in SourceCodester Simple POS and Inventory System 1.0. Impacted is an unknown function of the file /admin/addproduct.php of the component File Extension Handler. This manipulation of the argument image causes unrestricted upload. This vulnerability is registered as CVE-2026-9445. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability has been found in rust-lang Cargo up to 1.95.x and classified as critical. Affected by this issue is some unknown functionality. Performing a manipulation results in symlink following. This vulnerability is reported as CVE-2026-5223. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

A vulnerability was found in CP Plus CP-E38Q, CP-E48Q, CP-E25Q, CP-E35Q, CP-E45Q, CP-E28Q, CP-E21Q, CP-E31Q, CP-E41Q, CP-E24Q, CP-Z43Q, CP-E34Q, CP-E44Q, CP-T31Q, CP-V48Q, CP-V41Q and CP-Z45Q. It has been classified as problematic. This vulnerability affects unknown code of the component UART Interface. The manipulation leads to cleartext storage of sensitive information. This vulnerability is traded as CVE-2026-9274. It is possible to launch the attack on the physical device. There is no exploit available.