PT-2026-7464

Name of the Vulnerable Software and Affected Versions AMD Secure Processor ASP Boot Loader affected versions not specified Description A flaw exists in the AMD Secure Processor ASP Boot Loader where insufficient parameter sanitization could allow an attacker with access to SPIROM upgrade to...

A single post-release of dydx-v4-client contained obfuscated multi-stage loader

A PyPI user account compromised by an attacker and was able to upload a malicious version 1.1.5.post1 of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible...

GHSA-4F84-67CV-QRV3 A single post-release of dydx-v4-client contained obfuscated multi-stage loader

A PyPI user account compromised by an attacker and was able to upload a malicious version 1.1.5.post1 of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible...

PYSEC-2026-1 A single post-release of dydx-v4-client contained obfuscated multi-stage loader

A PyPI user account compromised by an attacker and was able to upload a malicious version 1.1.5.post1 of the dydx-v4-client package. This version contains a highly obfuscated multi-stage loader that ultimately executes malicious code on the host system. While the final payload is not visible...

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42. In addition, the hacking crew has been...

CLSA-2026-1770311244 gimp: Fix of 2 CVEs

CVE-2025-14425: fix JP2 image loader buffer overflow by validating pixel buffer size calculation to prevent potential remote code execution - CVE-2025-14422: fix parsing of PNM files to prevent integer overflow leading to remote code execution...

CVE-2026-1756

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

WordPress WP FOFT Loader plugin <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload vulnerability

Authenticated Author+ Arbitrary File Upload vulnerability discovered by Williwollo CybrX in WordPress Plugin WP FOFT Loader versions = 2.1.39...

CVE-2026-1756

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

EUVD-2026-5387

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

CVE-2026-1756

The CVE-2026-1756 entry concerns the WordPress WP FOFT Loader plugin. Affected versions up to and including 2.1.39 allow arbitrary file uploads due to incorrect validation in WP_FOFT_Loader_Mimes::file_and_ext, enabling authenticated users with Author-level access or higher to upload arbitrary fi...

CVE-2026-1756 WP FOFT Loader <= 2.1.39 - Authenticated (Author+) Arbitrary File Upload

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPFOFTLoaderMimes::fileandext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and abov...

PT-2026-6057

Name of the Vulnerable Software and Affected Versions WP FOFT Loader plugin for WordPress versions through 2.1.39 Description The WP FOFT Loader plugin for WordPress is susceptible to arbitrary file uploads because of inadequate file type validation within the WP FOFT Loader Mimes::file and ext...

WordPress plugin WP FOFT Loader 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

GHSA-8X2R-V9X5-3QGH Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f83h-ghpp-7wcc. This link is maintained to preserve external references. Original Description pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The...

Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f83h-ghpp-7wcc. This link is maintained to preserve external references. Original Description pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The...

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central...

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer's resources to push malicious updates to downstream users. "On January 30, 2026, four established Open VSX extensions...

Huawei EulerOS: Security Advisory for edk2 (EulerOS-SA-2026-1161)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2026-5649

A Local File Inclusion LFI vulnerability exists in the '/reinstall extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstall extension" route. This vulnerability allows attackers to inject a malicious name parameter, leadin...