Aggregator

A vulnerability, which was classified as critical, has been found in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. This vulnerability is identified as CVE-2026-6224. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #785881 / VDB-357142

A vulnerability classified as critical was found in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. This vulnerability is referenced as CVE-2026-6220. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The identification of this vulnerability is CVE-2026-6219. The attack can only be executed locally. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure.

Submit #785855 / VDB-357141

An Iran-backed cyber threat group called CyberAv3ngers has grown from a noise-making hacktivist outfit into a serious threat targeting critical infrastructure across the United States. The group, formally connected to Iran’s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has been operating since at least 2020 and has steadily sharpened its tools and techniques with each […]

The post Iran-Linked CyberAv3ngers Sets Sights on Water Utilities and Industrial Controllers appeared first on Cyber Security News.

A vulnerability classified as critical has been found in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The identification of this vulnerability is CVE-2026-6219. The attack can only be executed locally. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure.

A vulnerability described as problematic has been identified in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. This vulnerability was named CVE-2026-6218. The attack may be performed from remote. There is no available exploit. The vendor was contacted early about this disclosure.

Маск выпускает конкурента Telegram и Signal?

Submit #785844 / VDB-357140

Submit #785843 / VDB-357140

Submit #785842 / VDB-357139

An ongoing MacSync Stealer campaign is targeting macOS users in U.S. SLTT government organizations. Learn more by reading CIS CTI's analysis.

A vulnerability marked as critical has been reported in SourceCodester Cab Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /cms/admin/bookings/view_booking.php. The manipulation leads to sql injection. This vulnerability is uniquely identified as CVE-2026-36923. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as critical has been found in SourceCodester Cab Management System 1.0. Affected is an unknown function of the file /cms/admin/categories/view_category.php. Executing a manipulation can lead to sql injection. This vulnerability is handled as CVE-2026-36922. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as critical has been detected in SourceCodester Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/examproper/questions-view.php. Performing a manipulation results in sql injection. This vulnerability is known as CVE-2026-36920. Remote exploitation of the attack is possible. No exploit is available.

2023 年全球农药使用量达 373 万吨，约为 1990 年的两倍。农药相关健康风险研究长期集中在急性中毒、神经毒性和癌症方面。新型基因技术如今已能用于追踪农药对肠道菌群的影响。印度团队对印度南部近 3000 人开展研究后发现，城市地区 23% 的人患有糖尿病，多与肥胖、高胆固醇等典型危险因素相关；但农村地区糖尿病患病率仍高达 16%，且与这些危险因素无关。研究人员怀疑环境化学物质可能发挥了作用研究团队在小鼠身上研究了一种广泛使用的农业杀虫剂——氯氰菊酯的影响。根据印度日常饮食中的农药残留量，研究团队采用了“现实剂量”，持续给药 120 天。研究显示，氯氰菊酯重塑了小鼠肠道菌群，其中乳酸杆菌等有益菌数量下降，幽门螺杆菌等潜在有害菌增多。即便体重没有增加，接触氯氰菊酯的小鼠仍出现了高血糖和糖尿病症状。农药似乎不仅会改变菌群种类，还会影响其代谢活性。在另一项大型研究中，研究人员将 17 种人体肠道代表性细菌暴露于 18 种不同农药，检测到微生物产生的数百种小分子物质发生变化，其中包括短链脂肪酸、胆汁酸和色氨酸相关分子。这些物质能维持肠道黏膜健康、调节炎症反应、调控免疫功能。他们还发现，部分细菌会在细胞内蓄积农药，这可能延长其在人体内的停留时间，增加长期健康风险。

A vulnerability categorized as problematic has been discovered in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. This vulnerability is traded as CVE-2026-6216. The attack may be launched remotely. Furthermore, there is an exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in DbGate up to 7.1.4. It has been rated as critical. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. This vulnerability appears as CVE-2026-6215. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.