Aggregator

内部威胁一直以来都是一个风险，但现代技术、战术和动机的演变使得这一威胁、可能性和内部相关事件的后果大幅增加。

一个印度开发团队以 Essential Plugin 的名义开发了 31 款 WordPress 插件，插件有免费版本也有付费版本。2024 年底由于收入下降了 35-45% 开发者将所有插件出售给了一个有 SEO、加密货币和赌博背景的买家，金额是六位数。2025 年 8 月 8 日买家释出了更新，其中包含了后门，但后门一直处于休眠状态。2026 年 4 月 5-6 日后门激活开始向所有运行相关插件的网站传播恶意载荷。恶意代码从指令控制服务器获取垃圾链接、重定向和虚假页面。这些垃圾信息只会显示给 Google 的机器人 Googlebot，对网站所有者不可见。WordPress.org 插件团队次日关闭了所有插件，但 SEO 垃圾信息注入攻击仍在进行中。这不是 WordPress.org 第一次遭遇模式相似的供应链攻击——收购信任插件然后注入恶意代码，它没有机制标记或审查插件所有权转移，也没有向用户发出插件所有权变更的通知，新所有者也不会触发额外的代码审查。最新攻击有数十万安装这些插件的网站受到影响。

嗯，用户让我帮忙总结一篇文章，控制在100字以内，而且不需要特定的开头。首先，我得仔细阅读文章内容，理解主要事件和关键点。 文章讲的是一个印度团队开发了31个WordPress插件，后来因为收入下降卖给了一个有不良背景的买家。买家在更新中植入后门，导致恶意代码传播，影响了数十万网站。WordPress.org虽然关闭了插件，但攻击仍在继续。 接下来，我需要提取这些关键信息：插件数量、开发者出售原因、买家背景、后门激活时间、恶意行为、受影响范围以及平台的应对措施。 然后，把这些信息浓缩成简洁的句子，确保不超过100字。要注意逻辑连贯，不遗漏重要细节。 最后，检查一下是否符合用户的要求：中文总结，直接描述内容，没有多余开头。 印度团队开发的31款WordPress插件被出售给不良买家后植入后门，在2026年4月激活恶意代码，向网站注入垃圾链接和重定向仅针对Googlebot。攻击影响数十万网站，WordPress.org关闭插件但无法阻止持续攻击。

A vulnerability described as critical has been identified in Mozilla Firefox up to 148. Impacted is an unknown function of the component Graphics. Such manipulation leads to integer overflow. This vulnerability is uniquely identified as CVE-2026-4694. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

A vulnerability identified as critical has been detected in Mozilla Firefox up to 148. This affects an unknown part of the component Design Mode. The manipulation leads to sandbox issue. This vulnerability is traded as CVE-2026-4692. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability classified as critical has been found in Mozilla Firefox up to 148. The affected element is an unknown function of the component Playback. Performing a manipulation results in memory corruption. This vulnerability was named CVE-2026-4693. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability was found in Mozilla Firefox up to 148. It has been rated as critical. Affected by this vulnerability is an unknown functionality of the component CSS Parser. Performing a manipulation results in use after free. This vulnerability is reported as CVE-2026-4691. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability categorized as critical has been discovered in Mozilla Firefox up to 148. Affected by this issue is some unknown functionality of the component XPCOM. Executing a manipulation can lead to integer overflow. This vulnerability appears as CVE-2026-4690. The attack may be performed from remote. There is no available exploit. It is advisable to upgrade the affected component.

A vulnerability was found in Mozilla Firefox up to 148. It has been classified as critical. This impacts an unknown function of the component XPCOM. This manipulation causes integer overflow. This vulnerability is registered as CVE-2026-4689. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

A vulnerability was found in Mozilla Firefox up to 148 and classified as critical. This affects an unknown function of the component Access API. The manipulation results in use after free. This vulnerability is cataloged as CVE-2026-4688. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

Гендиректор F6 Валерий Баулин сообщил о возможном выходе компании на биржу.

A vulnerability has been found in Mozilla Firefox up to 148 and classified as critical. The impacted element is an unknown function of the component Telemetry. The manipulation leads to sandbox issue. This vulnerability is listed as CVE-2026-4687. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in Mozilla Firefox up to 148. The affected element is an unknown function of the component Canvas2D. Executing a manipulation can lead to memory corruption. This vulnerability is tracked as CVE-2026-4686. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

A vulnerability was found in Mozilla Firefox up to 148. It has been declared as critical. Affected is an unknown function of the component Canvas2D. Such manipulation leads to memory corruption. This vulnerability is documented as CVE-2026-4685. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mozilla Thunderbird up to 140.8/148. It has been classified as problematic. This impacts an unknown function of the component Email Handler. The manipulation leads to out-of-bounds read. This vulnerability is traded as CVE-2026-4371. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability, which was classified as critical, has been found in Mozilla Firefox up to 148. Impacted is an unknown function of the component WebRender. Performing a manipulation results in use after free. This vulnerability is identified as CVE-2026-4684. The attack can be initiated remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in Mozilla Thunderbird up to 140.8/148. It has been rated as problematic. Affected by this vulnerability is an unknown functionality. This manipulation causes improper restriction of rendered ui layers. This vulnerability is handled as CVE-2026-3889. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: Last week, […]

嗯，用户让我用中文总结一篇文章，控制在一百个字以内，而且不需要用“文章内容总结”之类的开头。好的，我得先仔细看看这篇文章讲了什么。 文章主要讲的是美国网络安全和基础设施安全局（CISA）将Adobe、Fortinet、微软Exchange Server和Windows的一些漏洞加入到他们的已知被利用漏洞目录中。具体来说，提到了几个CVE编号，比如CVE-2026-34621、CVE-2012-1854等，这些漏洞涉及 Prototype Pollution、DLL hijacking、SQL注入等问题。 然后，CISA要求联邦机构在2026年4月27日之前修复这些漏洞，除了CVE-2026-21643要在4月16日前修复。专家还建议私营组织检查目录并修复漏洞。 好的，现在我需要把这些信息浓缩到一百个字以内。要抓住关键点：CISA新增了哪些公司的漏洞，具体的漏洞类型，以及修复的截止日期。 可能的结构是：CISA新增了Adobe、Fortinet、微软的多个高危漏洞至目录，并设定了修复期限。 再检查一下有没有遗漏的重要信息。比如，Adobe Acrobat Reader的Prototype Pollution漏洞和Fortinet的SQL注入漏洞都是比较严重的。还有微软的Exchange Server和Windows的问题。 所以总结的时候要提到这些公司和漏洞类型，并说明CISA设定了修复期限。这样就能在有限的字数内传达主要信息了。 美国网络安全机构CISA将Adobe、Fortinet、微软Exchange Server和Windows的多个高危漏洞加入已知被利用漏洞目录，并设定修复期限以应对潜在攻击风险。