Aggregator

A vulnerability identified as problematic has been detected in Mail Queue Plugin up to 1.1 on WordPress. The affected element is an unknown function of the component Email Subject Handler. Performing a manipulation results in cross site scripting. This vulnerability is reported as CVE-2023-3167. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability marked as problematic has been reported in About Me 3000 Widget Plugin up to 2.2.6 on WordPress. This affects an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2023-3369. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as problematic has been identified in Advanced Popups Plugin up to 1.1.1 on WordPress. Affected by this issue is the function metabox_popup_save. The manipulation results in cross-site request forgery. This vulnerability is cataloged as CVE-2021-4421. The attack may be launched remotely. There is no exploit available.

A vulnerability marked as critical has been reported in User Registration Plugin up to 3.0.1 on WordPress. Affected by this vulnerability is an unknown functionality. Performing a manipulation of the argument profile-pic-url results in deserialization. This vulnerability is reported as CVE-2023-3343. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability described as critical has been identified in User Registration Plugin up to 3.0.2/3.0.2.1 on WordPress. Affected by this issue is the function ur_upload_profile_pic. Executing a manipulation can lead to unrestricted upload. This vulnerability appears as CVE-2023-3342. The attack may be performed from remote. There is no available exploit.

A vulnerability marked as problematic has been reported in Buy Me a Coffee Plugin up to 3.6 on WordPress. This affects an unknown function. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2023-2082. The attack is possible to be carried out remotely. No exploit exists.

A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including

HackerNews 编译，转载请注明出处： 运营全球最大比特币ATM网络之一的Bitcoin Depot披露，上月系统遭入侵后，攻击者从其加密钱包窃取价值366.5万美元的比特币。 该公司管理着全球超过2.5万台比特币ATM和BDCheckout网点，2025年营收达6.15亿美元。 据美国证券交易委员会文件披露，公司于3月23日发现攻击，此前检测到部分IT系统存在可疑活动。 虽然公司立即采取措施控制入侵，但攻击者仍有时间窃取数字资产结算账户凭证，并在其访问被阻止前从Bitcoin Depot钱包转走超过50枚比特币。 Bitcoin Depot表示：”2026年3月23日，公司发现未授权方访问其部分信息技术系统。检测后，公司立即启动事件响应程序，聘请外部网络安全专家并通知执法部门。结果，未授权行为体未经批准从公司控制的钱包转移约50.903枚比特币，截至报告日价值约366.5万美元。公司进一步认为，事件仅限于公司企业环境，未影响客户平台、部门、系统、数据或环境。” 公司已就入侵通知执法部门，并聘请外部网络安全专家协助调查。 虽然公司持有网络攻击保险，但Bitcoin Depot表示这可能无法覆盖攻击直接导致的所有损失。 “2026年4月6日，公司仍认定该事件具有重大影响，鉴于潜在后果，包括声誉损害、法律、监管和响应成本，”公司补充。 “公司持有可能覆盖网络安全事件相关某些损失的保险，但无法保证该保险足以收回此次事件导致的任何或全部损失。” 去年，Bitcoin Depot还就2024年数据泄露通知近2.6万人，该事件源于威胁行为体入侵系统窃取受影响个人信息的攻击（包括全名、地址、出生日期、驾照号码、邮箱地址和电话号码）。 2024年12月，美国比特币ATM运营商Byte Federal披露类似事件，导致影响5.8万名客户的数据泄露。 消息来源：bleepingcomputer.com； 本文由 HackerNews.cc 翻译整理，封面来源于网络； 转载请注明“转自 HackerNews.cc”并附上原文

A vulnerability was found in Linux Kernel up to 6.12.74/6.18.15/6.19.5. It has been classified as critical. Affected is an unknown function of the component xfs. This manipulation causes privilege escalation. The identification of this vulnerability is CVE-2026-23251. The attack needs to be done within the local network. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability labeled as critical has been found in Linux Kernel up to 6.12.74/6.18.15/6.19.5. This issue affects the function xchk_scrub_create_subord of the component xfs. The manipulation results in unchecked return value. This vulnerability is cataloged as CVE-2026-23250. The attack must originate from the local network. There is no exploit available. The affected component should be upgraded.

A vulnerability has been found in Linux Kernel up to 6.12.74/6.18.15/6.19.5 and classified as critical. This affects the function xrep_revalidate_allocbt of the component xfs. The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2026-23249. The attack can only be initiated within the local network. No exploit exists. The affected component should be upgraded.

A vulnerability categorized as critical has been discovered in Linux Kernel up to 6.1.162/6.6.123/6.12.69/6.18.9. This affects the function do_ade of the component LoongArch. Executing a manipulation can lead to privilege escalation. This vulnerability is tracked as CVE-2025-71270. The attack is only possible within the local network. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability classified as critical has been found in Linux Kernel up to 6.18.9. The impacted element is the function __cow_file_range_inline of the component btrfs. Performing a manipulation results in denial of service. This vulnerability is reported as CVE-2025-71269. The attacker must have access to the local network to execute the attack. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.1.162/6.6.123/6.12.69/6.18.9. It has been rated as critical. Affected by this issue is the function __cow_file_range_inline of the component btrfs. Performing a manipulation results in allocation of resources. This vulnerability is identified as CVE-2025-71268. The attack can only be performed from the local network. There is not any exploit available. Upgrading the affected component is advised.

I just blinked and the first quarter of the year is GONE. Where does the time go? I looked back at my article from last month where I touched on the use of AI and some of the vulnerabilities associated with it and realized it was good precursor to some themes at RSAC this year. AI was certainly the focus this year, with almost everyone having some form of AI connection to their products (some … More →

The post April 2026 Patch Tuesday forecast: Spring-cleaning of a preview appeared first on Help Net Security.

FreeBSD 基金会在 2024 年第四季度启动了项目 Laptop Support & Usability Project，致力于改进 FreeBSD 发行版在现代笔记本电脑上的兼容性，解决 Wi-Fi、图形、音频、安装程序和睡眠状态等方面的问题。该项目已经取得了长足进步，它公布了一个兼容笔记本型号的名单，有 10 个型号的笔记本获得了 8/8 的几乎完美评分。这些笔记本电脑包括：联想 ThinkPad X270、华硕 TUF Gaming F15 FX507VU_FX507VU、惠普 EliteBook 845 G7 Notebook PC、联想 IdeaPad 5 15ALC05、Framework Laptop 13 (13th Gen Intel Core)、联想 Yoga 11e、Framework Laptop 13 (AMD Ryzen 7040 Series)、联想 ThinkPad T490、Framework Laptop 16 (AMD Ryzen 7040 Series) 以及 Aspire A315-24PT。

A vulnerability labeled as problematic has been found in parisneo lollms up to 2.1.x. This issue affects the function create_post of the file backend/routers/social/__init__.py. Executing a manipulation can lead to cross site scripting. This vulnerability is registered as CVE-2026-1115. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

Hackers breached Bitcoin Depot, stole credentials, and took about 50 BTC worth $3.6M from its wallets after a March 23 intrusion. Hackers breached the largest US Bitcoin ATM operator, Bitcoin Depot, on March 23, stole login credentials, and drained about 50.9 BTC worth $3.6M from company wallets. Bitcoin Depot told the SEC that a hacker […]