Aggregator

вазичастицы экситон-поляритоны помогли выполнить оптическое переключение почти без потерь энергии.

2026 柏林 p2o 三天赛程结束，结果刚刚在 OffensiveCon 闭幕会上揭晓。DEVCORE 拿下 Master of Pwn，STARLabs SG 紧随其后。 今年比赛戏份很足。由于 AI 加成，报名火爆程度超出主办方预料，有不少队伍没报上名。有人干脆就先交给厂商了。赛前 FireFox 紧急发布补丁干掉了一个队伍的项目。Palo Alto Networks 有一个难度相当高的 Safari RCE，赛前在 M4 硬件上调试，临期才告知最终环境是 M5。不巧遇上法定假日商店都不开门，没有买到和比赛环境匹配的设备，最终只差了一个 bit 适配问题遗憾没有演示成功。 不少项目感觉都很有意思。个人最期待🍊神用纯逻辑漏洞链打下 Edge 浏览器的项目，坐等公开细节[666]

Без лунного него суперкомпьютеры останутся лабораторными игрушками.

A vulnerability was found in xiandafu beetl up to 3.20.2. It has been rated as critical. Affected is an unknown function of the file beetl-classic-integration/beetl-spring-classic/src/main/java/org/beetl/ext/spring/SpELFunction.java of the component SpELFunction. The manipulation leads to improper neutralization of special elements used in an expression language statement. This vulnerability is referenced as CVE-2026-8759. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. It has been declared as critical. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The identification of this vulnerability is CVE-2026-8758. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #811316 / VDB-364386

A vulnerability was found in adenhq hive up to 0.11.0. It has been classified as critical. This affects the function _read_events_tail of the file core/framework/server/routes_sessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. This vulnerability was named CVE-2026-8757. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c and classified as critical. The impacted element is the function generate_config of the file webui_preprocess.py of the component Gradio Interface. Such manipulation of the argument data_dir leads to path traversal. This vulnerability is uniquely identified as CVE-2026-8756. The attack can be launched remotely. Moreover, an exploit is present. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c and classified as critical. The affected element is the function _get_all_models of the file hiyoriUI.py of the component Model Handler. This manipulation causes path traversal. This vulnerability is handled as CVE-2026-8755. The attack can be initiated remotely. Additionally, an exploit exists. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #811283 / VDB-364385

Submit #811276 / VDB-364384

A vulnerability, which was classified as critical, was found in AstrBotDevs AstrBot up to 4.23.5. Impacted is the function post_file of the file astrbot/dashboard/routes/chat.py of the component File Upload Handler. The manipulation of the argument filename results in path traversal. This vulnerability is known as CVE-2026-8754. It is possible to launch the attack remotely. Furthermore, an exploit is available. You should upgrade the affected component.

Submit #811175 / VDB-364383

Submit #811173 / VDB-364382

Submit #811172 / VDB-364381

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Microsoft Exchange Server to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Microsoft Exchange Server, tracked as CVE-2026-42897 (CVSS score of 8.1), to its Known Exploited Vulnerabilities (KEV) catalog. This week, Microsoft warned that threat actors are […]

87% пользователей просят у ИИ личных советов. Куда это может нас привести?

暨南大学、华中科技大学和清华大学的研究人员在《One Earth》期刊上发表论文，调查了烂尾楼（或称之为未完工建筑项目）的情况。过去几十年烂尾楼数量激增，研究人员收集了 142 个城市的 1,779 个烂尾楼地理数据。结果发现，烂尾楼浪费了 485±42 百万吨建筑材料，使房地产业碳排放强度提高了 9.6%，产生的 PM2.5 细颗粒物造成了 260 万生命年的健康损失，导致购房者、开发商和承包商承担了 3470±320 亿美元的经济损失。研究人员指出烂尾楼经济损失集中在新开发郊区，加剧了社会不平等。2019-2023 年间，全国范围内的烂尾楼占用了逾 164（±8）平方公里的城市开发用地，建筑面积达 415（±56）平方公里。

Russia-linked APT group Turla turned its Kazuar malware into a stealthy P2P botnet for long-term access to compromised systems. Russia-linked APT group Turla upgraded its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent access to infected systems. Microsoft researchers say the malware allows attackers to maintain long-term control while making detection […]