iccDEV 缓冲区错误漏洞

iccDEV is an open-source color configuration code library developed by the International Color Consortium. Versions of iccDEV prior to 2.3.1.3 contained a buffer error vulnerability. This vulnerability stemmed from a heap buffer overflow in the CIccFileIO::Read8 function, which could lead to memo...

Microsoft SDL: Evolving security practices for an AI-powered world

As AI reshapes the world, organizations encounter unprecedented risks, and security leaders take on new responsibilities. Microsoft’s Secure Development Lifecycle SDL is expanding to address AI-specific security concerns in addition to the traditional software security areas that it has...

Microsoft SDL: Evolving security practices for an AI-powered world

As AI reshapes the world, organizations encounter unprecedented risks, and security leaders take on new responsibilities. Microsoft’s Secure Development Lifecycle SDL is expanding to address AI-specific security concerns in addition to the traditional software security areas that it has...

security-review-skill

Security Review Skill for Claude Code A comprehensive securit...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Airplay_Audio_Software_Development_Kit

LiberationPlay-CVE-2025-24...

MiracleLinux 9 : java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1 (AXSA:2026-130:04)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-130:04 advisory. JDK: Improve JMX connections CVE-2026-21925 JDK: Improve HttpServer Request handling CVE-2026-21933 JDK: Enhance Certificate Checking CVE-2026-21945...

CVE-2026-1777

The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output...

Improper Access Control

Kottster is vulnerable to Improper Access Control. The vulnerability is due to insecure handling of development-mode functionality, which allows an unauthenticated attacker to execute arbitrary code on the server when the application is running in development mode...

PT-2026-5709

Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed...

Exploit_Development

Ex...

CVE-2026-25046

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

AEGIS: White-Box Attack Path Generation Using LLMs and Training Effectiveness Evaluation for Large-Scale Cyber Defence Exercises

Creating attack paths for cyber defence exercises requires substantial expert effort. Existing automation requires vulnerability graphs or exploit sets curated in advance, limiting where it can be applied. We present AEGIS, a system that generates attack paths using LLMs, white-box access, and...

CVE-2026-25046

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

CVE-2026-25046

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

Kimi Agent SDK command injection vulnerability

Kimi Agent SDK is a multilingual library developed by Moonshot AI that allows for the integration of Kimi Code agents into applications. Versions of Kimi Agent SDK prior to 0.1.6 contained a command injection vulnerability. This vulnerability stemmed from the development script passing file names...

PT-2026-5233

Name of the Vulnerable Software and Affected Versions soroban-sdk versions 22.0.9 through 25.0.1 soroban-sdk version 23.5.1 soroban-sdk version 25.0.2 Description The soroban-sdk contains an arithmetic overflow issue in the Bytes::slice, Vec::slice, and Prng::gen range for u64 methods. When...

Faraday 5.19.0

Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use...

Introducing SITF: The First Threat Framework Dedicated to SDLC Infrastructure

Moving beyond simple checklists to visualize, map, and block attacks on production SDLC infrastructure...