Aggregator

A critical flaw in the WPvivid Backup & Migration WordPress plugin can let an unauthenticated attacker upload files and run code on the server, a path that often ends in full site takeover. The issue is tracked as CVE-2026-1357, scored 9.8 (Critical), and affects plugin versions up to and including 0.9.123, with a fix available […]

The post WordPress Backup Plugin Vulnerability Exposes 800,000 Sites to Remote Code Execution Attacks appeared first on Cyber Security News.

论文提出了首个针对图神经网络（GNN）的数据无关模型提取攻击框架STEALGNN，这一创新性贡献突破了现有攻击方法对原始训练数据的依赖，实现了无需真实数据即可提取GNN模型知识的攻击方法。

Bitdefender reports a surge in LummaStealer activity, showing the MaaS infostealer rebounded after 2025 law enforcement disruption. Bitdefender observed renewed LummaStealer activity, proving the MaaS infostealer recovered after 2025 takedowns. Active since 2022, it relies on affiliates, social engineering, fake cracked software, and fake CAPTCHA “ClickFix” lures. CastleLoader plays a key role in spreading it. […]

A vulnerability labeled as problematic has been found in Orbisius Random Name Generator Plugin up to 1.0.2 on WordPress. The impacted element is an unknown function of the component Shortcode Handler. Executing a manipulation of the argument btn_label can lead to cross site scripting. This vulnerability appears as CVE-2026-1893. The attack may be performed from remote. There is no available exploit.

A vulnerability categorized as problematic has been discovered in Pix Para Woocommerce Plugin up to 2.13.3 on WordPress. Affected by this vulnerability is an unknown functionality of the component Payment Gateway Configuration Handler. The manipulation results in missing authorization. This vulnerability is cataloged as CVE-2025-15400. The attack may be launched remotely. There is no exploit available.

A vulnerability identified as problematic has been detected in Roundcube Webmail up to 1.5.12/1.6.12. Affected by this issue is some unknown functionality of the component Cascading Style Sheet Handler. This manipulation causes inclusion of functionality from untrusted control sphere. This vulnerability is registered as CVE-2026-26079. Remote exploitation of the attack is possible. No exploit is available. You should upgrade the affected component.

A vulnerability was found in Beaver Builder Page Builder Plugin up to 2.10.0.5 on WordPress. It has been rated as problematic. Affected by this vulnerability is the function save_global_settings. The manipulation leads to cross site scripting. This vulnerability is documented as CVE-2026-1231. The attack can be initiated remotely. There is not any exploit available.

Oekraïne heeft dringend behoefte aan extra slagkracht. Nederland, het Verenigd Koninkrijk, Noorwegen en Zweden schieten daarom te hulp met een nieuwe levering van Amerikaanse wapens, materieel en munitie. Het gaat om militaire steun via het Prioritised Ukraine Requirements List (PURL) initiatief. Ook levert Nederland F-16-simulatoren.

Among the many security fixes released by Microsoft on February 2026 Patch Tuesday is one for CVE-2026-20841, a command injection vulnerability in Notepad that could be exploited by attackers to achieve remote code execution on targets’ Windows system. About CVE-2026-20841 For many, many years, Windows Notepad was a simple text editor and a staple tool for everyone who wanted a no-frills way to work with plain text, but in early 2022, Microsoft started redesigning it … More →

The post Windows Notepad Markdown feature opens door to RCE (CVE-2026-20841) appeared first on Help Net Security.

Этот космический левиафан — нечто среднее между планетой и звездой, окруженное стеной из пыли.

AI is giving online romance scammers even more ways to hide and accelerate their schemes while making it more difficult for people to detect fraud operations that are resulting in billions of dollars being stolen every year from millions of victims.

The post AI is Supercharging Romance Scams with Deepfakes and Bots appeared first on Security Boulevard.

A vulnerability was found in Gallery by FooGallery Plugin up to 3.1.9 on WordPress. It has been classified as problematic. This impacts the function ajax_get_gallery_info. Performing a manipulation results in missing authorization. This vulnerability is cataloged as CVE-2025-15524. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Lucky Wheel Giveaway Plugin up to 1.0.22 on WordPress and classified as critical. This affects an unknown function. Such manipulation of the argument conditional_tags leads to code injection. This vulnerability is listed as CVE-2025-14541. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in SlimStat Analytics Plugin up to 5.3.1 on WordPress. It has been declared as critical. Affected is an unknown function. Executing a manipulation of the argument args can lead to sql injection. This vulnerability is registered as CVE-2025-13431. It is possible to launch the attack remotely. No exploit is available.

A vulnerability classified as problematic has been found in TP-Link Archer C60 v3. This issue affects some unknown processing. Performing a manipulation results in cross site scripting. This vulnerability was named CVE-2026-1571. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

The MS-ISAC bridges the U.S. SLTT resilience gap by offering under-resourced organizations access to affordable services. Read to learn more.

Black Duck has announced the availability of a set of enhanced Black Duck Polaris Platform integrations across all major source code management (SCM) platforms, including GitHub, GitLab, Azure DevOps, and Bitbucket. The Polaris Platform is an integrated, software-as-a-service application security platform powered by the static application security testing, software composition analysis, and dynamic application security testing engines. With development teams managing an explosion of human and AI-generated code and increasingly distributed development environments, manual onboarding … More →

The post Black Duck expands Polaris platform with unified, automated security across all major SCMs appeared first on Help Net Security.

The once popular Outlook add-in AgreeTo was turned into a powerful phishing kit after the developer abandoned the project.

The post Outlook add-in goes rogue and steals 4,000 credentials and payment data appeared first on Security Boulevard.

AMOS infostealer is targeting macOS users by abusing popular AI apps and extension marketplaces to harvest credentials. Flare examines how AMOS operates, spreads through AI-driven lures, and feeds the broader stealer-log cybercrime economy. [...]