Aggregator

Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

1 week 5 days ago

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

The Hacker News

Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises

Cyber Security News

1 week 5 days ago

A stealthy new threat is quietly making its way through US businesses, and most traditional security tools are completely missing it. Researchers have uncovered a previously unknown piece of malware that disguises itself as an everyday business document — a purchase order, a quote, or a request for proposal. Once an unsuspecting employee opens the […]

The post Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises appeared first on Cyber Security News.

Tushar Subhra Dutta

CVE-2026-47324 | ProjectsAndPrograms school-management-system cross site scripting (6b6fae5)

VulDB Recent Entries

1 week 5 days ago

A vulnerability was found in ProjectsAndPrograms school-management-system and classified as problematic. This affects an unknown function. Executing a manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2026-47324. The attack may be launched remotely. There is no exploit available. It is best practice to apply a patch to resolve this issue.

vuldb.com

CVE-2026-44546 | djangoproject daphne up to 4.2.1 Websocket Handshake splitlines request smuggling

VulDB Recent Entries

1 week 5 days ago

A vulnerability has been found in djangoproject daphne up to 4.2.1 and classified as problematic. The impacted element is the function splitlines of the component Websocket Handshake Handler. Performing a manipulation results in http request smuggling. This vulnerability was named CVE-2026-44546. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

vuldb.com

CVE-2026-37460 | FRRouting FRR 10.0/10.6 BGP rfapi_rib.c rfapiRibBi2Ri denial of service (EUVD-2026-34083)

VulDB Recent Entries

1 week 5 days ago

A vulnerability, which was classified as problematic, was found in FRRouting FRR 10.0/10.6. The affected element is the function rfapiRibBi2Ri of the file rfapi_rib.c of the component BGP Handler. Such manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2026-37460. The attack can be launched remotely. No exploit exists. It is advisable to implement a patch to correct this issue.

vuldb.com

Взломали, извинились, починили. Группировка Nova показала чудеса клиентского сервиса.

Securitylab.ru

1 week 5 days ago

Киберпреступники исключили партнера из синдиката за атаку на бизнес со штаб-квартирой в СНГ.

Meta 给予员工每次最多 30 分钟退出跟踪

Solidot

1 week 5 days ago

Meta 最近开始在美国员工电脑上安装追踪软件，捕捉员工鼠标移动、点击和按键数据以用于训练 AI 模型，此举是该公司构建能自动执行工作任务的 AI 智能体的大计划的一部分。被称为 Model Capability Initiative(MCI)的工具在公司内部引发了强烈反对，部分员工为此发起了一项请愿活动，已有逾 1500 人签名。有匿名员工认为公司的行为“非常反乌托邦”。根据周二发给员工的一份内部备忘录，Meta 略微后退了一步，允许员工退出跟踪，“每次最长 30 分钟”，员工也可以申请永久退出该跟踪计划。

Microsoft responds to security challenges facing code, AI agents, and models

Help Net Security

1 week 5 days ago

Microsoft has introduced a series of security tools and capabilities focused on AI-driven vulnerability discovery, AI agents, and AI models. The updates include a multi-agent vulnerability discovery system, new controls for managing and securing AI agents, data protection capabilities, and tools designed to identify potentially vulnerable or compromised AI models before deployment. MDASH targets exploitable vulnerabilities Microsoft expanded the preview of MDASH, a multi-model agentic vulnerability discovery system that now integrates with Microsoft Defender. The … More →

The post Microsoft responds to security challenges facing code, AI agents, and models appeared first on Help Net Security.

Sinisa Markovic

Space Bears

Dark Feed IO

1 week 5 days ago

You must login to view this content

cohenido

Akira

Dark Feed IO

1 week 5 days ago

You must login to view this content

cohenido

Akira

Dark Feed IO

1 week 5 days ago

You must login to view this content

cohenido

Akira

Dark Feed IO

1 week 5 days ago

You must login to view this content

cohenido

Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access

Cyber Security News

1 week 5 days ago

Five zero-day flaws in OpenClaw allowed attackers to bypass trust boundaries and hijack AI agent access across multiple messaging platforms. OpenClaw, which integrates AI agents with services such as Slack, Discord, Microsoft Teams, Matrix, and Telegram, relies heavily on user-defined allowlists to determine who can interact with an agent. This trust model assumes that only […]

The post Five OpenClaw 0-Days let Attackers to Hijack Trusted AI Agent Access appeared first on Cyber Security News.

Abinaya

网络首发 | 安徽大学崔杰教授团队：车内网中基于属性加密的可撤销访问控制机制研究

网信军民融合

1 week 5 days ago

WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

Cyber Security News

1 week 5 days ago

A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue […]

The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cyber Security News.

Abinaya

Трамп придумал идеальный закон об ИИ: выглядит как контроль, работает как отсутствие контроля

Securitylab.ru

1 week 5 days ago

Хотел проверять все модели за 90 дней до релиза. Отказался за несколько часов до подписания.

What 345 Days of Untested Exposure Looks Like at a Bank

Bleeping Computer.

1 week 5 days ago

A two-week penetration test can leave roughly 345 days of real-world exposure unvalidated. Sprocket Security explores why continuous testing is becoming critical as attack surfaces constantly change. [...]

数学家警告 AI 对数学专业的威胁

Solidot

1 week 5 days ago

数学家联合发表了获得国际数学联盟支持的宣言《Leiden Declaration》，警告 AI 通过产生大量看似合理但不可靠甚至错误的证明、削弱归因、改变激励机制以及赋予科技公司对研究优先事项过大的影响力去破坏数学。已有数百人签署了这一宣言，它警告 AI 的发展威胁到了数学研究的固有价值。宣言首先指出，区分 AI 产生的证明和正确的数学证明非常困难，给审稿人带来了越来越大的压力，生成 AI 论文成本低廉但验证论文代价昂贵，如果后续研究是基于错误的前提，那么错误会扩大。其次 AI 的训练是基于已有的数学论文，但它输出论文时经常不能正确引用，AI 模型的训练也普遍存在版权侵犯问题。第三 AI 的激励机制与数学专业的价值观背道而驰。宣言敦促数学家将 AI 视为一种工具，而非人类责任的替代品。数学家个人应公开 AI 的使用情况，对其工作的正确性承担责任。宣言还警告，数学可能被用于战争、压迫、大规模监控和破坏民主，因此数学家应谨慎权衡与科技行业合作的伦理问题。

KRYBIT

Dark Feed IO

1 week 5 days ago

You must login to view this content

cohenido

Russia’s FSB Says Foreign Spies Infected Officials’ Phones With Malware

Security Affairs

1 week 5 days ago

Russia’s FSB claims foreign intelligence planted malware on senior officials’ phones to intercept calls and activate cameras. No technical evidence, no country named. On June 2, 2026, Russia’s Federal Security Service (FSB) published a statement claiming it had uncovered and documented a large-scale foreign intelligence operation targeting the mobile devices of senior Russian officials. The […]

Pierluigi Paganini

Aggregator

Managed ad