Aggregator

Assume the breach. Zero-days keep shipping, AI is writing exploits faster than anyone patches, and "patch everything in time" stopped working years ago. Stop betting the org on winning that race. You don't control which bug lands. You control what it can reach once it does. That is a question about the shape of your network, and most teams have the shape wrong. HD Moore, creator of Metasploit

The Hacker News

Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

The Hackers News

3 weeks ago

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

The Hacker News

Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises

Cyber Security News

3 weeks ago

A stealthy new threat is quietly making its way through US businesses, and most traditional security tools are completely missing it. Researchers have uncovered a previously unknown piece of malware that disguises itself as an everyday business document — a purchase order, a quote, or a request for proposal. Once an unsuspecting employee opens the […]

The post Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises appeared first on Cyber Security News.

Tushar Subhra Dutta

CVE-2026-47324 | ProjectsAndPrograms school-management-system cross site scripting (6b6fae5)

VulDB Recent Entries

3 weeks ago

A vulnerability was found in ProjectsAndPrograms school-management-system and classified as problematic. This affects an unknown function. Executing a manipulation can lead to cross site scripting. The identification of this vulnerability is CVE-2026-47324. The attack may be launched remotely. There is no exploit available. It is best practice to apply a patch to resolve this issue.

vuldb.com

CVE-2026-44546 | djangoproject daphne up to 4.2.1 Websocket Handshake splitlines request smuggling

VulDB Recent Entries

3 weeks ago

A vulnerability has been found in djangoproject daphne up to 4.2.1 and classified as problematic. The impacted element is the function splitlines of the component Websocket Handshake Handler. Performing a manipulation results in http request smuggling. This vulnerability was named CVE-2026-44546. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

vuldb.com

CVE-2026-37460 | FRRouting FRR 10.0/10.6 BGP rfapi_rib.c rfapiRibBi2Ri denial of service (EUVD-2026-34083)

VulDB Recent Entries

3 weeks ago

A vulnerability, which was classified as problematic, was found in FRRouting FRR 10.0/10.6. The affected element is the function rfapiRibBi2Ri of the file rfapi_rib.c of the component BGP Handler. Such manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2026-37460. The attack can be launched remotely. No exploit exists. It is advisable to implement a patch to correct this issue.

vuldb.com

Взломали, извинились, починили. Группировка Nova показала чудеса клиентского сервиса.

Securitylab.ru

3 weeks ago

Киберпреступники исключили партнера из синдиката за атаку на бизнес со штаб-квартирой в СНГ.

Meta 给予员工每次最多 30 分钟退出跟踪

Solidot

3 weeks ago

Meta 最近开始在美国员工电脑上安装追踪软件，捕捉员工鼠标移动、点击和按键数据以用于训练 AI 模型，此举是该公司构建能自动执行工作任务的 AI 智能体的大计划的一部分。被称为 Model Capability Initiative(MCI)的工具在公司内部引发了强烈反对，部分员工为此发起了一项请愿活动，已有逾 1500 人签名。有匿名员工认为公司的行为“非常反乌托邦”。根据周二发给员工的一份内部备忘录，Meta 略微后退了一步，允许员工退出跟踪，“每次最长 30 分钟”，员工也可以申请永久退出该跟踪计划。

Microsoft responds to security challenges facing code, AI agents, and models

Help Net Security

3 weeks ago

Microsoft has introduced a series of security tools and capabilities focused on AI-driven vulnerability discovery, AI agents, and AI models. The updates include a multi-agent vulnerability discovery system, new controls for managing and securing AI agents, data protection capabilities, and tools designed to identify potentially vulnerable or compromised AI models before deployment. MDASH targets exploitable vulnerabilities Microsoft expanded the preview of MDASH, a multi-model agentic vulnerability discovery system that now integrates with Microsoft Defender. The … More →

The post Microsoft responds to security challenges facing code, AI agents, and models appeared first on Help Net Security.

Sinisa Markovic