Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems. Versions 1.14.1 and 0.30.4 of Axios have been found to...

CVE-2026-5183 TRENDnet TEW-713RE addRouting sub_421494 command injection

A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub421494 of the file /goform/addRouting. Executing a manipulation of the argument dest can lead to command injection. It is possible to launch the attack remotely. The exploit has been publicly...

EUVD-2026-17279

A security flaw has been discovered in Totolink A3300R 17.0.0cu.557b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploit has been release...

Embedded Malicious Code

Overview axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a cross-platform remote access trojan RAT and whose content was removed from the official package manager. A malicious actor...

CVE-2026-3300

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

CVE-2026-5177

Totolink A3300R 17.0.0cu.557_b20221024 is affected by CVE-2026-5177. The vulnerability resides in function setWiFiBasicCfg of /cgi-bin/cstecgi.cgi, where manipulating the rxRate argument can trigger a remote command injection. The exploit is publicly available. No remediation details are provided...

IBM InfoSphere Information Server Information Disclosure Vulnerability (CNVD-2026-16131)

IBM InfoSphere Information Server is IBM's data integration platform for integrating, cleansing, transforming and managing enterprise data. An information disclosure vulnerability exists in IBM InfoSphere Information Server that stems from the system returning overly detailed error messages. An...

Discourse 输入验证错误漏洞

Discourse is Discourse open source set of open source community discussion platform. The platform includes features such as community , e-mail and chat rooms . Discourse suffers from an input validation error vulnerability that originates when the enter operation in StaticController reads the...

The Manipulate-And-Observe Attack on Quantum Key Distribution

Quantum key distribution is often regarded as an unconditionally secure method to exchange a secret key by harnessing fundamental aspects of quantum mechanics. Despite the robustness of key exchange, classical post-processing reveals vulnerabilities that an eavesdropper could target. In particula...

Unspecified vulnerability in HCL Aftermarket DPC (CNVD-2026-15829)

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a security vulnerability that can be exploited by attackers to more easily guess weak passwords or gain unauthorized access to user accounts using brute force technique...

Umami SQL注入漏洞

Umami is a lightweight analysis platform provided by Umami Inc., which offers features for website access statistics and user behavior analysis. Umami has a SQL injection vulnerability, which stems from improper cleaning of the timezone request parameters. This vulnerability may lead to SQL...

PT-2026-29380

The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then...

VulnCheck KEV: CVE-2025-10090

A flaw has been found in Jinher OA up to 1.2. The impacted element is an unknown function of the file /C6/Jhsoft.Web.departments/GetTreeDate.aspx. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be us...

An Empirical Comparison of Security and Privacy Characteristics of Android Messaging Apps

Mobile messaging apps are a fundamental communication infrastructure, used by billions of people every day to share information, including sensitive data. Security and Privacy are thus critical concerns for such applications. Although the cryptographic protocols prevalent in messaging apps are...

vcpkg 代码问题漏洞

vcpkg is an open-source C/C++ cross-platform package management tool developed by Microsoft. Versions of vcpkg prior to vcpkg 3.6.1 contained code vulnerabilities. These vulnerabilities stemmed from the Windows version of OpenSSL, where the path to openssldir was set to the path on the build...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.28 contained a security vulnerability. This vulnerability stemmed from the lack of rate limiting in Nextcloud Talk’s webhook authentication process, which could allow attackers ...

CVE-2026-30521

CVE-2026-30521 affects SourceCodester Loan Management System v1.0. The issue is a business logic vulnerability caused by missing server-side validation for the interest_rate field. Although the frontend blocks negative values, the backend does not, allowing an authenticated attacker to modify the...

On the Necessity of Pre-Agreed Secrets for Thwarting Last-Minute Coercion: Vulnerabilities and Lessons from the Loki E-Voting Protocol

Coercion-resistance CR is a crucial security property in e-voting systems. It ensures that an attacker cannot compel a voter to vote in a specific way by using threats or rewards. The Loki e-voting protocol, proposed by Giustolisi \emphet al. at IEEE S&P 2024, introduces a novel design that...

PT-2026-29326

Name of the Vulnerable Software and Affected Versions SourceCodester Leave Application System version 1.0 Description A security issue exists in the User Management Handler component of SourceCodester Leave Application System. This issue allows for cross site scripting, potentially enabling remot...

EUVD-2026-17174

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...