Posts of last 24 hours
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks.
The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process. The
https://thehackernews.com/2026/07/hackers-use-fake-microsoft-entra.html
A vulnerability identified as problematic has been detected in R-SOFT SERWIS DMS up to 3.19-2861. This impacts an unknown function of the component File Download Endpoint. Performing a manipulation results in improper control of resource identifiers.
This vulnerability was named CVE-2026-41878. The attack may be initiated remotely. There is no available exploit.
https://vuldb.com/vuln/377464
长征十号乙运载火箭于 7 月 10 日 12 时 15 分在海南商业航天发射场发射升空,火箭一二级分离约 6 分钟后,一子级垂直返回,在海上回收平台通过网系捕获方式成功回收。此次回收的一子级预计将在今年年底前完成复用飞行。长征十号乙运载火箭由中国航天科技集团一院抓总研制,是 5 米直径两级串联构型的大型液体运载火箭。火箭芯一级沿用长征十号甲运载火箭一子级状态,采用液氧煤油推进剂,芯二级采用液氧甲烷推进剂;全箭起飞推力约 890 吨,起飞重量约 760 吨;首飞箭全箭长度约 63 米,重复使用状态下近地轨道运载能力 16 吨。该火箭可满足低轨卫星互联网星座部署、大型商业卫星发射等各类任务需求,复用状态下可大幅降低发射成本。
https://www.solidot.org/story?sid=84800
A vulnerability categorized as problematic has been discovered in jegtheme Jeg Kit for Elementor Plugin up to 3.2.6 on WordPress. This affects the function render_body of the component Image Box Widget. Such manipulation of the argument sg_body_description leads to cross site scripting.
This vulnerability is uniquely identified as CVE-2026-13710. The attack can be launched remotely. No exploit exists.
https://vuldb.com/vuln/377463
Researchers uncovered 222 GitHub repositories spreading malware through fake Go packages, delivering loaders, stealers, RATs, and cryptominers. Socket’s security research team started with the investigation of a single malicious Go module: github[.]com/kaleidora/dnsub-scanning-tool, which presented itself as a DNS and subdomain scanning utility. Pulling on that thread exposed something significantly larger: a network of 222 confirmed […]
https://securityaffairs.com/195101/security/222-github-repositories-linked-to-fake-go-package-malware-operation.html
A vulnerability was found in Red Hat Enterprise Linux 6, Enterprise Linux 7, Enterprise Linux 8, Enterprise Linux 9, Enterprise Linux 10, Hardened Images and OpenShift Container Platform 4. It has been rated as critical. The impacted element is an unknown function of the component PAX Header Parser. This manipulation of the argument sparse-file causes heap-based buffer overflow.
This vulnerability is handled as CVE-2026-15028. The attack can be initiated remotely. There is not any exploit available.
https://vuldb.com/vuln/377462
A vulnerability was found in beardev JoomSport Plugin up to 5.7.9 on WordPress. It has been declared as critical. The affected element is an unknown function of the component Shortcode Handler. The manipulation of the argument Event results in sql injection.
This vulnerability is known as CVE-2026-13010. It is possible to launch the attack remotely. No exploit is available.
https://vuldb.com/vuln/377461
Pickle-десериализация в Python: как одна строка кода может привести к выполнению произвольных команд
https://www.securitylab.ru/analytics/574694.php
A vulnerability was found in iqonicdesign KiviCare Plugin up to 4.4.0 on WordPress. It has been classified as critical. Impacted is an unknown function of the component Authorization Verification. The manipulation of the argument payment_id leads to authorization bypass.
This vulnerability is traded as CVE-2026-11990. It is possible to initiate the attack remotely. There is no exploit available.
https://vuldb.com/vuln/377460
A vulnerability was found in getwpfunnels Mail Mint Plugin up to 1.24.1 on WordPress and classified as problematic. This issue affects the function array_column of the file /mrm/v1/campaigns of the component Campaigns. Executing a manipulation of the argument recipients can lead to sql injection.
This vulnerability appears as CVE-2026-12918. The attack may be performed from remote. There is no available exploit.
https://vuldb.com/vuln/377459