Aggregator

A vulnerability classified as problematic has been found in SPIP up to 4.4.14. Impacted is an unknown function of the file action/cookie.php of the component ecrire. Performing a manipulation results in open redirect. This vulnerability is cataloged as CVE-2026-48832. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability described as critical has been identified in WineHQ Wine up to 11.0. This issue affects some unknown processing of the component MIME Handler. Such manipulation leads to incorrect resource transfer. This vulnerability is listed as CVE-2026-48831. The attack must be carried out locally. There is no available exploit. There is ongoing doubt regarding the real existence of this vulnerability.

A vulnerability marked as problematic has been reported in huggingface transformers up to 5.2.x. This vulnerability affects the function AutoModelForCausalLM.from_pretrained of the file config.json. This manipulation of the argument _attn_implementation_internal causes missing serialization control element. This vulnerability is tracked as CVE-2026-4372. The attack is restricted to local execution. No exploit exists. It is suggested to upgrade the affected component.

2026年5月22日，美国国家情报总监图尔西·加巴德在社交媒体发布了一封辞职信。

开发了 14 年但发布日期未知的《星际公民(Star Citizen)》的筹款突破了十亿美元达到 1,003,408,183 美元。《星际公民》由《银河飞将》创始人 Chris Roberts 领导开发，试图复兴太空模拟飞行游戏，允许玩家在广袤的宇宙空间内探险，交易和战斗。它于 2012 年在 Kickstarter 上成功众筹，原计划的交付时间是 2014 年。但在 Kickstarter 众筹结束后，开发团队继续在官方网站上进行募资，许多募资其实就是销售游戏内的虚拟物品如各种型号的飞船。2018 年它筹集到 2 亿美元，五年之后突破 6 亿美元，2024 年 5 月突破了 7 亿美元，2 年之后突破了 10 亿美元。《星际公民》堪称史上开发预算最高的 3A 游戏。

荷兰金融犯罪调查局（FIOD）逮捕了两名男子，并扣押了与一家网络托管公司相关的800台服务器，该公司为网络攻击、干涉行动和虚假信息宣传活动提供支持。 FIOD逮捕了一名57岁嫌疑人（公司董事）和一名39岁嫌疑人——他是另一家提供互联网连接服务公司的负责人。 据当局称，嫌疑人间接向受到欧盟（EU）制裁的俄罗斯和白俄罗斯实体提供经济资源。 调查聚焦于 Stark In...

Пока вы описываете симптомы, доктор уже печатает чат-боту “срочно выручай!”.

GitHub 为 npm 推出了新的安全控制措施，以提升软件供应链的安全性，使维护者能够在软件包公开发布可供安装之前，明确批准某个版本。该功能称为 staged publishing（分阶段发布），现已正式在 npm 上可用。它要求人工维护者通过 2FA（双因素认证）挑战来批准一个软件包，然后才能将其推送至 npmjs[.]com。GitHub 表示：“与直接发布（...

国剧之光《主角》目前正在热播，这是第一部我们看到了传承的电视剧。电视剧《主角》中的传承，技艺传承、文化传承、文明传承！

很多人现在已经默认：本地Agent + 中转站也是属于日常玩法了。发现这里其实有个被很多人忽略的风险：AI Agent 已经不是“聊天机器人--编码助手”了。

Drupal 警告用户，针对本周修复的高危漏洞 CVE-2026-9082，已经出现了利用尝试。该漏洞影响一个旨在确保数据库查询经过清理以防止 SQL 注入 的 API。Drupal 解释道：“该 API 中的漏洞允许攻击者发送特制请求，导致使用 PostgreSQL 数据库的网站遭受任意 SQL 注入。”未经身份验证的攻击...

威胁行为者正在利用共享内容分发网络（CDN）基础设施中的漏洞，以隐藏与恶意域名的连接。 该漏洞被称为 Underminr，是域名前置（domain fronting）攻击的一种变体。域名前置是一种现已得到缓解的攻击类型，攻击者曾通过在 HTTPS 请求的 SNI 和 TLS 证书验证字段中放置允许的域名，同时在 TLS 隧道的加密 HTTP Host 头中嵌入不同的目标域名来实施攻击。 ...

A fully autonomous bug-bounty framework called Pentest Agent Suite has been open-sourced, delivering 50 specialized security agents, 26 slash commands, 19 CLI tools, and a cross-IDE installer across seven major AI coding platforms — Claude Code, OpenAI Codex, Google Gemini, Cursor, Windsurf, VS Code Copilot, and OpenClaw. The project, published on GitHub by researcher H-mmer, […]

The post Pentest Agent Suite – Bug Bounty Framework for Claude Code and 6 AI Coding Tools appeared first on Cyber Security News.

The Wireshark Foundation has released Wireshark 4.6.6, addressing a critical security vulnerability in the ROHC (Robust Header Compression) protocol dissector that could allow an attacker to crash the application by injecting a specially crafted, malformed packet. The update also resolves over a dozen stability and compatibility bugs affecting Windows users. The primary security fix targets […]

The post Wireshark 4.6.6 Released With Fix for Dissector Crash via Malformed Packet Injection appeared first on Cyber Security News.

针对 Laravel Lang 本地化软件包的供应链攻击使开发人员暴露于复杂的凭证窃取恶意软件活动中。攻击者滥用了 GitHub 版本标签功能，通过 Composer 软件包分发恶意代码。安全公司 StepSecurity、Aikido Security 和 Socket 于周五发出警告，指出攻击者重写了 Laravel Lang 组织维护的四个存储库中的 GitHub 标签，而不是发布全新的恶意...

执行摘要随着AI的持续快速发展，问题在于围绕它构建的系统能否跟上。追踪AI影响所需的治理框架、评估方法、教育

A hacker is selling a 340M OnlyFans user database allegedly built by matching old breach data and public profiles to real OnlyFans accounts.

New TrapDoor supply chain campaign, an active attack deploying 34 malicious packages and over 384 related versions across npm, PyPI, and Crates.io to steal developer credentials and cryptocurrency wallets. The operation explicitly targets developers in the crypto, DeFi, Solana, and AI communities by disguising malware as generic developer tools and security scanners. The campaign’s earliest […]

The post Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack appeared first on Cyber Security News.