Aggregator

讲述如何在Coze空间部署cs流量转发

本文记录了 HackTheBox Shibboleth 靶机的一次完整渗透测试过程。文章首先通过 TCP 全端口扫描确认目标主要暴露 80/tcp 服务，并从 Web 重定向、页面源码、目录枚举和页面页脚信息中提取出 Zabbix 与 Bare Metal BMC 线索；随后结合 UDP 623 扫描与虚拟主机爆破，定位到隐藏的 Zabbix 登录入口以及 IPMI 服务暴露面。在初始访问阶段，文

CDG文件服务器的 uploadSoftWareFile 接口存在路径遍历漏洞和目录控制绕过漏洞。攻击者通过构造特殊请求参数，可以绕过目录访问限制，将恶意文件写入服务器任意可写目录，最终实现远程代码执行（RCE）。

往期推荐：2026年AI指数报告（一）1.5.开源AI软件前文重点介绍了值得关注的前沿模型以及构建和维护这些

让每一次AI交互都安全、合规、有序。

在日常渗透测试与安全测试中，前端加密（尤其是登录参数的加密）是绕不开的一类场景。 通过本文的实践,你将看到：一句自然语言 + 一个 MCP 环境 + 一套代理链路，如何将原本至少需要几十分钟的 JS 逆向工作，压缩到几分钟内完成。

本文讨论的是 CTF、靶场、本地实验和授权安全研究场景下的大模型使用方法。核心目标不是绕过安全边界，而是在合法环境中把大模型从聊天助手调成“会拿证据、会调用工具、会及时在一个方法上停下止损的大手子”。

聚焦于AI供应链中的新型高危威胁API中转站投毒（Relay Station Poisoning）。研究不可信中转节点如何利用其对HTTP/SSE流的完全控制权，在Claude Code等AI Agent场景中实现从“数据窃取”到“远程命令执行（RCE）”的完整攻击链，以及如何防御，防御有什么缺陷

Apache Camel JMS 反序列化(CVE-2026-40860)漏洞分析漏洞概述Apache Camel 的核心目标是把各种不同的系统、协议和数据格式“粘合”在一起。它实现了著名的企业集成模式（Enterprise Integration Patterns, EIP），比如拆分消息、聚合消息、动态路由等。受影响版本中，JmsBinding.extractBodyFromJms() 方法在

在 Markdown、公式渲染等富内容处理场景下，由于第三方组件与浏览器底层（HTML、URL、JS 解析器）在实体解码、协议提取和规范化处理上存在机制差异，极易引发解析层面的语义错位，导致了XSS防御体系的 Bypass

Defender与svchost

A vulnerability was found in Google Chrome. It has been classified as critical. Impacted is an unknown function of the component WebGL. Performing a manipulation results in sandbox issue. This vulnerability is reported as CVE-2026-9880. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is recommended.

A vulnerability categorized as critical has been discovered in Google Chrome. This impacts an unknown function of the component ANGLE. Such manipulation leads to out-of-bounds write. This vulnerability is documented as CVE-2026-9879. The attack can be executed remotely. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in Google Chrome on Android. Impacted is an unknown function of the component WebGL. The manipulation results in use after free. This vulnerability is cataloged as CVE-2026-9876. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability has been found in Google Chrome and classified as critical. This vulnerability affects unknown code of the component ANGLE. This manipulation causes use after free. This vulnerability is registered as CVE-2026-9877. Remote exploitation of the attack is possible. No exploit is available. The affected component should be upgraded.

A vulnerability was found in Google Chrome and classified as critical. This issue affects some unknown processing of the component ANGLE. Such manipulation leads to use after free. This vulnerability is documented as CVE-2026-9878. The attack can be executed remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability marked as critical has been reported in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. This affects an unknown part of the component SOAP Extension. This manipulation causes use after free. This vulnerability is registered as CVE-2026-6722. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability described as problematic has been identified in PHP up to 8.2.30/8.3.30/8.4.20/8.5.5. This vulnerability affects the function urldecode. Such manipulation leads to out-of-bounds read. This vulnerability is documented as CVE-2026-7258. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

类属性污染实现全局权限提升、__globals__ 劫持覆盖 Flask SECRET_KEY 实现会话伪造、以及全局变量篡改实现 RCE。

面向大模型隐私推理的安全协议-MPC与ZK的角色分工