`unpack_in` can chmod arbitrary directories by following symlinks

In versions 0.4.44 and below of tar-rs, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadatafs-metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball containing a symlink entry followed by a...

CVE-2026-21788

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

cve-exploit-engine

cve-exploit-engine An automated CVE monitoring and exploit wo...

CVE-2026-31997

OpenClaw versions prior to 2026.3.1 fail to pin executable identity for non-path-like argv0 tokens in system.run approvals, allowing post-approval executable rebind attacks. Attackers can modify PATH resolution after approval to execute a different binary than the operator approved, enabling...

EUVD-2026-13009

OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding...

Microsoft .NET 安全漏洞

Microsoft .NET is a software framework developed by Microsoft Corporation in the United States, dedicated to agile software development, rapid application development, platform independence, and network transparency. Versions of Microsoft .NET prior to 8.0 8.0.22 and .9.0 9.0.11 contained securit...

PT-2026-26279

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may allow the attacker steal cookie-based authentication credential...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.1 contained security vulnerabilities. These vulnerabilities stemmed from the failure to properly secure the executable identity of argv0 tokens that were not path-related, which...

CVE-2026-30694

CVE-2026-30694 affects DedeCMS up to v5.7.118 (and earlier). The issue is a vulnerability in the array_filter component that could allow a remote attacker to execute arbitrary code. The CVE’s metrics indicate a high-impact, remote, no-auth Exploit with a 9.8 AV/AC/PR/UI/S/C/I/A profile. Connected...

Cyber-Resilient Digital Twins: Discriminating Attacks for Safe Critical Infrastructure Control

Industrial Cyber-Physical Systems ICPS face growing threats from cyber-attacks that exploit sensor and control vulnerabilities. Digital Twin DT technology can detect anomalies via predictive modelling, but current methods cannot distinguish attack types and often rely on costly full-system...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.25 contained security vulnerabilities. These vulnerabilities stemmed from a lack of persistent replay protection for Nextcloud Talk webhook events. This allowed attackers to...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from an authentication hardening vulnerability that is due to an authentication hardening vulnerability in the browser-sourced WebSocket client in a loopback deployment. An attacker can exploit the...

PT-2026-26464

Name of the Vulnerable Software and Affected Versions phpseclib versions 1.0.26 and below phpseclib versions 2.0.0 through 2.0.51 phpseclib versions 3.0.0 through 3.0.49 Description phpseclib is a PHP secure communications library. Projects utilizing the affected versions are susceptible to a...

ROS-20260319-73-0032

Vulnerability in glpi related to insufficient validation of incoming requests. Exploitation of the vulnerability could allow a remote attacker to launch an ssrf attack...

ROS-20260319-73-0020

A vulnerability in the yuv2ya16Xctemplate function of the libswscale/output.c component of the FFmpeg multimedia library is related to integer overflow. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

ROS-20260319-73-0009

A vulnerability in the outfile plugin of the Fluent Bit logging tool is related to an incorrect directory path name restriction. Exploitation of the vulnerability could allow an attacker acting remotely to write an arbitrary file outside the target directory...

libarchive 缓冲区错误漏洞

Libarchive is an open-source multi-format archiving and compression library developed by Libarchive. Libarchive has a buffer error vulnerability, which stems from heap out-of-bounds reads in the RAR archiving processing logic. Improper validation of the LZSS sliding window size after the...

Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries

We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques...

Exploit for Incorrect Default Permissions in Amazon Amplify_Cli

skycenter Attack Chain Security Analysis Engine for AWS, Azure...

CVE-2026-32944 Parse Server crash via deeply nested query condition operators

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the...