Aggregator

文章描述了AI代码编辑器Cursor中的一个数据外泄漏洞：通过Mermaid图表渲染功能，攻击者可窃取用户记忆或API密钥。作者展示了两个演示案例，并最终修复了该问题（CVE-2025-54132）。

Cursor is a popular AI code editor. In this post I want to share how I found an interesting data exfiltration issue, the demo exploits built and how it got fixed.

When using Cursor I noticed that it can render Mermaid diagrams.

Cursor Renders Mermaid Diagrams

If you are not familiar with Mermaid, it has a simple syntax:

graph TD User --> Computer

This will create a diagram as follows:

NIS 2指令通过整合网络安全与数据保护要求，推动企业从分散合规转向整体治理策略。结合GDPR、AI Act和Cyber Resilience Act等法规，企业需优化资源管理、提升风险评估能力，并构建统一框架以应对多法规挑战。

Threat hunters saw North Korean operatives almost daily, reflecting a 220% year-over-year increase in activity, CrowdStrike said in a new report.

The post CrowdStrike investigated 320 North Korean IT worker cases in the past year appeared first on CyberScoop.

当前环境异常，需完成验证后方可继续访问。

为减少噪音,社区关闭自我发帖,改为每周统一问题线程,并建议特定工具或目标相关问题转至StackExchange或r/AskReverseEngineering.

文章探讨了专业美术背景者在幼儿美育启蒙中的挑战与反思。指出专业美术注重技法与结果，而启蒙更关注孩子的想象力、表达与情感体验。强调父母应支持孩子自由创作，避免用成人标准干预其创作过程，并通过引导帮助孩子发现与表达对世界的认知与感受。

A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. This vulnerability is known as CVE-2025-8529. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. This vulnerability is traded as CVE-2025-8528. It is possible to launch the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The identification of this vulnerability is CVE-2025-8527. The attack may be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. This vulnerability was named CVE-2025-8526. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2025-8525. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Submit #622176 / VDB-318655

2024 年第 28 届国际 Ｃ 语言混乱代码大赛（IOCCC, The International Obfuscated C Code Contest）公布了获奖作品，其中包括 OpenRISC 32 位 CPU 模拟器、能运行 Doom 的虚拟机，号称世界最小的大模型推理引擎（基于 70 亿参数的 Meta 开源模型 LLaMA 2），等等。IOCCC 是一项国际程序设计赛事，旨在写出最有创意和最让人难以理解的 C 语言代码。从 1984 年开始，该赛事基本每年举办一次，但有过多次中断，IOCCC28 是为了纪念比赛创办 40 周年。

Submit #622175 / VDB-318654

Submit #622174 / VDB-318653

Submit #622173 / VDB-318652

Submit #622172 / VDB-318651

Вы верите в один текст. Но на каждое слово — по 4 версии.