Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence AI system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and...

CVE-2026-3319

CVE-2026-3319: Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-supplied input is insecurely reflected in HTML output at the /collection/ endpoint, enabling arbitrary JavaScript execution. CVSSv4.0 base score 5.1 (Medium) with network attack v...

SUSE CVE-2026-43361

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix transaction abort when snapshotting received subvolumes Currently a user can trigger a transaction abort by snapshotting a previously received snapshot a bunch of times until we reach a BTRFSUUIDKEYRECEIVEDSUBVOL item...

UBUNTU-CVE-2026-4892

A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

CVE-2026-6956 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

BIT-GOLANG-2026-39826 Escaper bypass leads to XSS in html/template

If a trusted template author were to write a tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the block...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-31254

The CVE-2026-31254 entry concerns the flash-attention project commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-04-13). A code-injection flaw (CWE-94) exists in the training script where Python’s eval() is registered as a Hydra config resolver under the name eval, enabling arbitrary code exec...

PT-2026-39860

Name of the Vulnerable Software and Affected Versions DeepChat versions prior to 1.0.4-beta.1 Description A Cross-Site Scripting XSS issue exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer function...

PT-2026-39639

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

📄 Car Rental Script 4.0 Cross Site Scripting

Car Rental Script version 4.0 suffers from a cross site scripting vulnerability. Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting reflected Author: nu11secur1ty Date: 05/08/2026 Vendor: https://www.phpjabbers.com/ Software: https://www.phpjabbers.com/car-rental-script/ Reference:...

agents 资源管理错误漏洞

Agents is an open-source intelligent agent symbol learning and training framework developed by AIWaves. There is a resource management vulnerability in aiwaves-cn agents, which stems from the recallrelevantmemoriestoworkingmemory function in the core/cat/lookingglass/straycat.py file within the...

Wikimedia Scribunto 跨站脚本漏洞

Wikimedia Scribunto is a scripting development tool provided by the Wikimedia Foundation. Versions of Wikimedia Scribunto from 1.45.0 to 1.45.2 had a cross-site scripting vulnerability. This vulnerability was caused by a memory leak, resulting in insufficient memory for the runJobs.php script...

PT-2026-39899

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker MantisBT versions 1.3.0 through 2.28.1 Description An issue exists where an unescaped Project Name allows an attacker with manager or administrator access levels to inject HTML into the Move Attachments admin page. This lead...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

Windows Registry Privilege Escalation Scanner / Audit Tool

This PowerShell script is a defensive security auditing tool designed to inspect Windows registry areas commonly associated with privilege escalation EoP techniques and system misconfigurations...

CVE-2025-61307

A reflected cross-site scripted XSS vulnerability in the acc-menupapers.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

OverrideFuzz: Semantic-Aware Grammar Fuzzing for Script-Runtime Vulnerabilities

Script-language runtimes such as Python, Lua, and JavaScript are widely deployed in security sensitive contexts, yet they remain difficult to test because valid inputs must satisfy syntax, dynamic type constraints, and object-level semantics. Existing grammar and reflection-based fuzzers improve...