Aggregator

A vulnerability described as critical has been identified in Totolink X6000R 9.4.0cu.652_B20230116. Impacted is the function sub_422BD4. Executing a manipulation can lead to command injection. This vulnerability is handled as CVE-2023-46424. The attack can be executed remotely. There is not any exploit available.

A vulnerability labeled as critical has been found in Totolink X6000R 9.4.0cu.652_B20230116. This vulnerability affects the function sub_411994. Such manipulation leads to command injection. This vulnerability is traded as CVE-2023-46422. The attack may be launched remotely. There is no exploit available.

* 距离上次发文已经过去整整两年了，JavaScript Obfuscator版本都升级到了v5.3.0，让我们来看看它都进行了哪些优化调整和功能升级。JavaScript Obfuscator ToolJavaScript Obfuscator官网目前主推的是付费版 VM Obfuscation（虚拟机字节码混淆） 。不过，我们还是先聚焦于它免费开源部分的混淆工具来分析。首先，快速过一遍v5.3

A vulnerability classified as critical was found in Open5GS up to 2.7.6. This issue affects the function sgwc_s5c_handle_create_session_response of the component SGW-C. Executing a manipulation can lead to memory corruption. This vulnerability appears as CVE-2026-2521. The attack may be performed from remote. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.6. Impacted is an unknown function of the file /src/mme/esm-build.c of the component MME. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2026-2522. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The project was informed of the problem early through an issue report but has not responded yet.

结合AI从代码层面分析SolarWinds Web Help Desk 未授权远程代码执行漏洞

本篇文章继续来分析一下AI方面的漏洞，具体是ComfyUI-Manager的CVE-2026-22777漏洞。

Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns. [...]

在渗透测试过程中，代理配置与 IP 管理是新手阶段经常遇到却又容易混淆的问题。本文从实际使用场景出发，介绍了代理池的基本搭建方法，并对上游代理与下游代理的概念进行了通俗说明，随后结合 BurpSuite 与 Yakit，详细演示了上下游代理的配置过程，帮助读者理清代理链中流量的走向。本文适合刚接触代理配置的安全学习者参考，旨在帮助新手快速理解并完成基础代理链的搭建与使用。

对DeepAudit的架构以及实现进行了分析

从0到1分析了该漏洞的核心原理，并纠正部分误区

第四届阿里CTF官方writeup

本文介绍了Python中利用Unicode“斜体字符”（如数学字母符号）绕过安全检测的原理：这些字符虽视觉相似但编码不同，而Python在解析标识符时会隐式进行NFKC/NFKD规范化，将其等效为普通ASCII字符。若WAF未做相同处理，攻击者可用变体字符构造恶意代码（如prinᵗ(1)）实现绕过。该方法适用于函数名、变量名和字符串内容，但不适用于关键字，且在不同环境（如Web框架、JSON解析）

瀑布内容管理系统 是一款基于Java技术栈开发的企业级内容管理平台。

MHT：时间在流动！时间在流动！在跳舞！木大木大木大木大木大！

本次分析的 CVE-2025-64111是 Gogs 平台因CVE-2024-56731 补丁修复不完整引发的二次高危远程命令执行漏洞。该漏洞存在于 Gogs ≤0.13.3 版本，核心因UpdateRepoFile函数的.git 路径校验覆盖不全、isRepositoryGitPath校验函数的设计缺陷，导致攻击者可通过符号链接路径映射或直接操控原始路径的方式绕过防护，篡改仓库.git/conf

禅道最新版的一个任意文件读取，两个任意文件删除

本文介绍什么是 Agent Hook，以及如何借助 Hook 机制在 AI 编程助手中实现「规范注入 + 事前拦截 + 事后扫描 + 安全审计」的安全闭环，并对公司相关信息做了脱敏处理。

根据源码了解pwn的常见的框架的编写

对mssql&mysql一次简洁且详细的总结