Posts of last 24 hours

Axios SSRF漏洞(CVE-2026-40175)漏洞分析
学习一下漏洞原理和流程
https://xz.aliyun.com/news/92282
CTF PWN入门实战|从栈溢出到ret2libc——从零到拿Shell的全过程
pwn的一点心得体会
https://xz.aliyun.com/news/92285
Agent Skills 加载与执行详解:从渐进式披露到混合检索
核心设计理念:渐进式披露agent调用Skill时不是一次性全部丢进上下文,如果所有Skill一次性全部丢进上下文的话会使得上下文长的爆炸因此Agent Skills 采用渐进式披露机制​核心思想是:不一次性加载所有内容,而是按需、分层加载​这解决了大模型智能体的核心矛盾——既要拥有海量专业能力,又受限于有限的上下文窗口​渐进式披露的三层加载机制第一层:元数据加载(启动时)注意:不同生态元数据位置
https://xz.aliyun.com/news/92286
HackTheBox OneTwoSeven:从 SFTP 软链接到 APT 软件包注入的完整渗透链
本文记录了 HackTheBox 靶机 OneTwoSeven 的完整渗透过程。攻击链从端口扫描与 Web 信息搜集开始,发现目标开放 SSH、HTTP 以及仅允许本地访问的 60080 管理端口。随后利用 SFTP 提供的软链接功能绕过目录限制,读取系统敏感文件与 Vim swap 文件,恢复后台登录源码并获得管理员凭据。通过 SSH 本地端口转发访问内部管理后台后,进一步分析插件管理逻辑,利用
https://xz.aliyun.com/news/92288
第四届黄河流域公安院校网络安全技能挑战赛 逆向全部题目详细 writeup
本篇文章完整解析了黄河流域全部逆向题目,涉及的考点包括手动脱壳,控制流劫持,父子进程 ptrace,花指令混淆,python VM,HarmonyOS逆向 ArkTS + NAPI
https://xz.aliyun.com/news/92292
CVE-2025-53648 | Apache Gravitino prior 1.0.0 UI privilege escalation (EUVD-2025-210372)
A vulnerability identified as problematic has been detected in Apache Gravitino. The affected element is an unknown function of the component UI. The manipulation leads to privilege escalation. This vulnerability is documented as CVE-2025-53648. The attack requires being on the local network. There is not any exploit available. You should upgrade the affected component.
https://vuldb.com/vuln/374832
CVE-2026-6954 | Intermark IT WebControl CMS up to 3.5 URL /portal.do urlDestino cross site scripting (EUVD-2026-40271)
A vulnerability categorized as problematic has been discovered in Intermark IT WebControl CMS up to 3.5. Impacted is an unknown function of the file /portal.do of the component URL Handler. Executing a manipulation of the argument urlDestino can lead to cross site scripting. This vulnerability is registered as CVE-2026-6954. It is possible to launch the attack remotely. No exploit is available.
https://vuldb.com/vuln/374831
CVE-2026-8403 | SYSGUARD 6001 up to 2.0.1 cross site scripting
A vulnerability was found in Eksagate Electronic Engineering and Computer Industry Trade SYSGUARD 6001 up to 2.0.1. It has been rated as problematic. This issue affects some unknown processing. Performing a manipulation results in cross site scripting. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is cataloged as CVE-2026-8403. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.
https://vuldb.com/vuln/374830
CVE-2026-10763 | Hitachi Energy PROMOD V up to 1.0.10 Remote Code Execution (EUVD-2026-40275)
A vulnerability was found in Hitachi Energy PROMOD V up to 1.0.10. It has been declared as critical. This vulnerability affects unknown code. Such manipulation leads to Remote Code Execution. This vulnerability is listed as CVE-2026-10763. The attack may be performed from remote. There is no available exploit.
https://vuldb.com/vuln/374829
CVE-2026-53433 | fzf up to 0.73.0 Listen Mode algorithmic complexity (EUVD-2026-40303)
A vulnerability was found in fzf up to 0.73.0. It has been classified as problematic. This affects an unknown part of the component Listen Mode. This manipulation causes inefficient algorithmic complexity. This vulnerability is tracked as CVE-2026-53433. The attack is restricted to local execution. No exploit exists. Upgrading the affected component is recommended.
https://vuldb.com/vuln/374828

Managed ad