Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack via improper validation of symbolic links in the virt-handler process. An attacker can gain unauthorized access to privileged Unix sockets on the host by replacing a virtual machine console socket with a symlink to a...

CVE-2026-8479

CVE-2026-8479 affects IEC 60870-5-104 in bidirectional mode (BCI). The vulnerability is a NULL pointer dereference triggered by a specially crafted message sequence over time, leading to a Denial of Service. Affected product behavior occurs only if IEC 60870-5-104 bidirectional functionality is c...

CVE-2026-9540

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

Multi-factor authentication MFA was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal...

Identity Exposure Management: Risks and Response

Start with the path that carries risk. Security teams need a clear view of access risk. Stolen tokens and excessive privileges turn legitimate access into an attack route. Identity risk becomes urgent when one exposed account opens a path across critical systems. Identity exposure management is t...

CrowdStrike vs Hive Pro: VM Compared

CrowdStrike vs Hive Pro for Vulnerability Management CrowdStrike vs Hive Pro is not a simple feature checklist. It is a decision about how your security team wants to manage exposure: through an endpoint-centered platform that extends into vulnerability assessment, or through a vendor-neutral...

mysql: Optimizer unspecified vulnerability (CPU Apr 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network...

CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

The Indian Computer Emergency Response Team CERT-In has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse ...

Malicious code in @godscene/web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1bd83a63f0426cc7c4e1a68886c36ff47de093d9b7edc6b410d16c928be50c1 Package @godscene/[email protected] is a re-bundled copy of the legitimate @midscene/web at the same version, preserving the original description, README,...

erb: ERB: Arbitrary code execution via deserialization bypass

A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source...

MAL-2026-4781 Malicious code in unique-id-64 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ab3b19e4bd1602de93ca092a5909f8b69927c01d5a690d3484116024dfc46e2 Package impersonates the well-known sindresorhus/unique-string utility: package.json copies the author block name 'Sindre Sorhus', email...

Exploit for CVE-2026-2942

CVE-2026-2942 ProSolution WP Client — Unauthenticated File U...

erb: ERB: Arbitrary code execution via deserialization bypass

A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source...

xorg: xwayland: X.Org X server: Use-after-free vulnerability leads to server crash and potential memory corruption

A flaw was found in the X.Org X server. This use-after-free vulnerability occurs in the XSYNC fence triggering logic, specifically within the miSyncTriggerFence function. An attacker with access to the X11 server can exploit this without user interaction, leading to a server crash and potentially...

CVE-2026-9496

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service DoS via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing...

CVE-2026-9529 GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function matchBLOCKHEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been...

qt: Qt SVG: Arbitrary QML/JavaScript code injection via malicious SVG file

A flaw was found in the Qt SVG module and the VectorImage component in Qt Quick. This vulnerability allows a remote attacker to inject arbitrary QML/JavaScript code by tricking a user into loading a specially crafted malicious SVG file. Successful exploitation could lead to denial of service,...

CVE-2026-9525

A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /admin/editjudge.php. The manipulation of the argument judgeid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may ...

CVE-2026-42497

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. makespecialfile passes the tar header's linkname to link without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode...

CVE-2026-9521 fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input

A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/stdsmartptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The...