CVE-2026-49316 Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown by forcing the Wireless Control Module WCM into the CAN bus-off state. Using a well-known CAN...

CVE-2026-10072 Interinfo｜DreamMaker - Arbitrary File Upload

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server...

Signal users targeted in backup-stealing phishing attacks

A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. The attack is initiated by a text message pretending to come from Signal Support. “Action Required: Data Recovery Needed Your Signal account data message and...

CVE-2026-9493

CVE-2026-9493 concerns BankPro E-Service Technology’s Service Center, which contains an Insecure Direct Object Reference vulnerability. Authenticated remote attackers can alter a parameter in a specific query function to access other users’ EC order details. The issue exposes sensitive confidenti...

MGASA-2026-0160 Updated perl-Catalyst-Plugin-Authentication package fixes a security vulnerability

The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. CVE-2026-5091...

Updated perl-Catalyst-Plugin-Authentication package fixes a security vulnerability

The updated package fixes a security vulnerability: Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. CVE-2026-5091...

Typosquatted npm packages used to steal cloud and CI/CD secrets

In this article 1. Attack chain overview 1. The lure: typosquats and spoofed metadata 2. Execution: npm lifecycle hook abuse 3. Gen-1 stager: HTTP C2 beacon and payload drop 4. Gen-2 stager: abusing the legitimate Bun runtime as a loader 5. Credential theft 6. Impact and blast radius 2. Mitigatio...

SUSE CVE-2026-3592

BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0...

EUVD-2026-33132

Use after free in WebAppInstalls in Google Chrome on Mac prior to 148.0.7778.216 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

PT-2026-44888

Name of the Vulnerable Software and Affected Versions Shibby Tomato version 1.28 Description A remote attack can be launched against an unknown function within the usr/sbin/miniupnpd file, leading to resource consumption. This issue affects products that are no longer supported by the maintainer,...

Malicious code in @t-in-one/add_application_tid (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

Joern 4.0.551

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

ROS-20260529-73-0011

The vulnerability in the vault is related to insufficient validation of incoming requests. Exploiting this vulnerability allows a malicious actor to execute a SSRF attack remotely...

Linux Distros Unpatched Vulnerability : CVE-2026-10002

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file...

Malicious code in @t-in-one/add_application_service_token (npm)

Wave 2 of a dependency confusion attack campaign C2: oob.moika.tech targeting internal npm scopes. The attacker npm user t-in-one, email [email protected] published packages at inflated versions that resolve ahead of private registry versions via npm's default version resolution. The campaign...

BadBone: Backdoor Attacks against Backbone Models in Visual Prompt Learning

Prompt learning is a new machine learning paradigm that has attracted ample attention due to its simplicity and proven efficacy. Despite its growing adoption, the security vulnerabilities associated with this paradigm remain underexplored. In this work, we take the first step to propose BadBone, ...

PT-2026-45006

NB: All tags and branches in this repository are past their end of life, so the vulnerability will not be fixed. The advisory is posted on the request of the researcher, for the information of anyone who might still use this software. Impact There is a security vulnerability in eZ Publish Legacy,...

Shibby Tomato 安全漏洞

Shibby Tomato is a third-party router firmware developed by Shibby’s individual developers. Version 1.28 of Shibby Tomato contains a security vulnerability. This vulnerability stems from unknown functions in the usr/sbin/miniupnpd file, which may lead to resource consumption and potentially allow...

mall 授权问题漏洞

Mall is a set of e-commerce systems developed by Macro Personal Developers, including a front-end shopping mall system and a back-end management system. Versions of Mall 1.0.3 and earlier had authorization-related vulnerabilities. These vulnerabilities stemmed from improper authorization in the...

PT-2026-47560

Impact Applications that call OptionalConverters.WithExpandoObjectConverter and deserialize untrusted data are open to a vulnerability by which an attacker can exploit a On² algorithm to burn an inordinate amount of CPU effort by adding a great many properties to an ExpandoObject, whose Add metho...