Aggregator

Если вы не обновляли Windows с ноября, у нас для вас плохие новости.

A vulnerability classified as problematic was found in WSO2 API Manager. This vulnerability affects unknown code of the component Authentication Endpoint. Executing a manipulation can lead to cross site scripting. This vulnerability is registered as CVE-2024-10242. It is possible to launch the attack remotely. No exploit is available. Upgrading the affected component is advised.

A vulnerability classified as problematic has been found in WSO2 API Manager. This affects an unknown part of the component Publisher. Performing a manipulation results in xml external entity reference. This vulnerability is cataloged as CVE-2024-8010. The attack must originate from the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability described as critical has been identified in Dell Storage Manager up to 8.0. Affected by this issue is some unknown functionality. Such manipulation leads to improper privilege management. This vulnerability is listed as CVE-2026-23772. The attack must be carried out locally. There is no available exploit.

嗯，用户让我用中文总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”之类的开头。首先，我需要仔细阅读文章，理解它的主要观点。 这篇文章讲的是Robinhood在2019年出现的“无限资金漏洞”。用户发现这个漏洞后，并没有攻击系统或者使用恶意软件，而是利用平台在期权交易中计算购买力的逻辑错误。他们通过存入少量资金，使用保证金购买期权合约，系统错误地认为这些期权头寸降低了风险，从而增加了他们的可用购买力。结果用户可以控制价值数万美元的仓位，而实际资本只有几千美元。 Robinhood后来关闭了期权交易并修复了漏洞，但已经造成了财务和声誉上的损失。文章还讨论了现代架构中业务逻辑漏洞增加的原因，比如微服务、API和第三方集成的复杂性。传统安全测试往往无法检测到这种逻辑滥用，因为它们通常不是技术漏洞，而是业务假设被打破。 接下来，我需要将这些要点浓缩到100字以内。要涵盖事件本身、原因、影响以及现代架构中的问题。同时保持语言简洁明了。 可能的结构是：先说明事件和结果，然后提到业务逻辑漏洞的问题和修复的重要性。例如，“Robinhood平台因期权交易计算错误出现‘无限资金漏洞’，用户利用该漏洞控制大量仓位。事件凸显现代架构中业务逻辑漏洞风险及修复必要性。” 这样既涵盖了事件本身的结果，又点出了问题所在和修复的重要性。 Robinhood平台因期权交易计算错误出现“无限资金漏洞”，用户利用该漏洞控制大量仓位。事件凸显现代架构中业务逻辑漏洞风险及修复必要性。

Google is intensifying its campaign against predatory web practices by instituting stringent prohibitions on one of the internet’s

The post Navigation Traps: Google’s New June 2026 Penalty Targets Back Button Hijacking appeared first on Penetration Testing Tools.

The April iteration of “Patch Tuesday” has arrived with such consequence that to overlook it would be an

The post Digital Emergency: Massive April Patch Tuesday Fixes Active Exploits and “Wormable” Flaws appeared first on Penetration Testing Tools.

A vulnerability was found in Livemesh Livemesh Addons by Elementor Plugin up to 9.0 on WordPress. It has been classified as critical. Impacted is the function lae_get_template_part of the component Template Name Handler. This manipulation causes improper control of filename for include/require statement in php program ('php remote file inclusion'). This vulnerability is handled as CVE-2026-1620. The attack can be initiated remotely. There is not any exploit available.

A vulnerability identified as critical has been detected in wpxpo PostX Plugin up to 5.0.5 on WordPress. This impacts the function ultp_shareCount_callback. The manipulation leads to missing authorization. This vulnerability is referenced as CVE-2026-0718. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability marked as problematic has been reported in ivole Customer Reviews for WooCommerce Plugin up to 5.101.0 on WordPress. This affects an unknown function. The manipulation leads to cross site scripting. This vulnerability is listed as CVE-2026-3355. The attack may be initiated remotely. There is no available exploit.

A vulnerability classified as problematic has been found in specialk Prismatic Plugin up to 3.7.3 on WordPress. Affected is the function prismatic_decode of the component Shortcode Handler. This manipulation causes cross site scripting. This vulnerability is registered as CVE-2026-3876. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in wpdevteam BetterDocs Plugin up to 4.3.8 on WordPress. It has been declared as problematic. The affected element is the function betterdocs_feedback_form of the component Shortcode Handler. Such manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-3875. The attack can be launched remotely. No exploit exists.

A vulnerability classified as critical was found in Samba rsync up to 3.4.1. Affected by this vulnerability is the function receive_xattr of the component Qsort Call Handler. Such manipulation of the argument length leads to improper handling of length parameter inconsistency. This vulnerability is documented as CVE-2026-41035. The attack can be executed remotely. There is not any exploit available.

A vulnerability marked as problematic has been reported in WSO2 API Manager, Identity Server, Open Banking AM, Open Banking IAM and Identity Server as Key Manager. Affected by this vulnerability is an unknown functionality of the component XML Parser. This manipulation causes xml external entity reference. This vulnerability is tracked as CVE-2024-2374. The attack is possible to be carried out remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability was found in faridsaniee OPEN-BRAIN Plugin up to 0.5.0 on WordPress. It has been rated as problematic. The impacted element is the function sanitize_text_field of the component Setting Handler. Performing a manipulation of the argument API key results in cross site scripting. This vulnerability was named CVE-2026-3995. The attack may be initiated remotely. There is no available exploit.

A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage

The OpenSSL Project has inaugurated a seminal update that profoundly reshapes both its internal architecture and its repertoire

The post Beyond the Legacy: OpenSSL 4.0.0 Arrives with Encrypted Client Hello and Post-Quantum Prep appeared first on Penetration Testing Tools.

Proofpoint researchers executed a malicious payload from a threat actor known to target trucking and logistics companies in late February 2026, doing so inside a decoy environment. The environment stayed compromised for more than 30 days, long enough for researchers to watch the actor work through their tools, scripts, and decisions beyond the initial break-in. The attacker had previously been documented targeting transportation carriers through compromised load board platforms, which are online marketplaces connecting shippers … More →

The post Cargo theft malware actor spent a month inside a decoy network before researchers pulled the plug appeared first on Help Net Security.

A Japanese maritime transport conglomerate has encountered a significant data breach following the compromise of its internal fuel

The post Sunk by a Script: How a Fuel System Breach Exposed the Global NYK Line Network appeared first on Penetration Testing Tools.

The commercial spyware Predator has proven far more ingenious than previously surmised. Rather than merely infiltrating the iPhone’s

The post The Kernel Ghost: How Predator Spyware Hijacks iPhone NEON Registers to Vanish into iOS appeared first on Penetration Testing Tools.