Public Voting Records: A Record, or an Attack Surface?

This is a whitepaper discussing a formal methodology for auditing voter-file disclosure regimes against linkage attacks...

GoBGP 缓冲区错误漏洞

GoBGP is an open-source implementation of the Border Gateway Protocol BGP developed by osrg. Versions of GoBGP prior to 4.3.0 contained a buffer error vulnerability. This vulnerability stems from a buffer overflow in the function PathAttributeAigp.DecodeFromBytes within the AIGP Attribute Parser...

Astra Linux – Vulnerability in Python 2.7, Python 3.7

A issue was discovered in the comparedigest function in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimizations were possible in the accumulator variable used in hmac.comparedigest...

Astra Linux - уязвимость в mbedtls

Use of a Broken or Risky Cryptographic Algorithm in the function mbedtlsmpiexpmod in lignum.c in Mbed TLS Mbed TLS all versions before 3.0.0, 2.27.0 or 2.16.11 allows attackers with access to precise enough timing and memory access information typically an untrusted operating system attacking a...

Astra Linux – Vulnerability in libtirpc

In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that used libtirpc, as idle TCP connections were handled improperly. This could lead to an svcrun infinite loop without accepting new connections...

Astra Linux – Vulnerability in Firefox and Thunderbird

Keyboard events reference strings like “KeyA” that are located at fixed, known, and widely-distributed addresses. Cache-based timing attacks, such as Prime+Probe, could potentially determine which keys were pressed. This vulnerability affects Firefox ESR 102.5, Thunderbird 102.5, and Firefox 107...

Astra Linux – Vulnerability in Linux 5.10, Linux

Several Linux PV device frontends are vulnerable to attacks by backends that use grant table interfaces to remove access rights from resources. This can lead to potential data leaks, data corruption by malicious backends, and denial of service attacks. The backends that use these interfaces may n...

OESA-2026-2176 kernel security update

The Linux Kernel, the operating system core itself. Security Fixes: IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access WPA, WPA2, or WPA3 or Wired Equivalent Privacy WEP, an adversary can exploit this vulnerability to injec...

NextChat 安全漏洞

NextChat is an open-source project developed by NextChat for quickly deploying private ChatGPT web applications. Versions of NextChat 2.16.1 and earlier contained a security vulnerability. This vulnerability stemmed from the improper authorization in the addMcpServer function within the...

The Ultimate Mathematical & AI Toolkit 路径遍历漏洞

The Ultimate Mathematical & AI Toolkit is a mathematical and AI toolkit developed by rUv. It supports sub-linear algorithms and consciousness exploration. Version 1.5.0 of the Ultimate Mathematical & AI Toolkit contains a path traversal vulnerability. This vulnerability stems from the exportstate...

TRENDnet TEW-821DAP 数据伪造问题漏洞

TRENDnet TEW-821DAP is a wireless access point from the company TRENDnet. Versions of TRENDnet TEW-821DAP prior to 1.12B01 contained a data falsification vulnerability. This vulnerability stems from insufficient validation of data authenticity in the platformdoupgradecameodev function within the...

NextChat 访问控制错误漏洞

NextChat is an open-source project developed by NextChat for quickly deploying private ChatGPT web applications. Versions of NextChat 2.16.1 and earlier contained a access control vulnerability, which was caused by improper cross-domain policies in unknown functions in Next.js files. This...

InnoShop 授权问题漏洞

InnoShop is an open-source e-commerce system based on Laravel 11, developed by InnoShop. Versions of InnoShop prior to 0.7.8 had authorization-related vulnerabilities. These vulnerabilities stemmed from improper authentication practices in the InstallServiceProvider::boot function found in the...

45,000 Attacks, 5,300+ Backdoors Tied to China-Linked Cybercrime Operation

SOCRadar researchers have uncovered a massive Chinese cybercrime operation using the OpenClaw and Paperclip systems to automate global attacks...

[SECURITY] [DLA 4556-1] dovecot security update

Debian LTS Advisory DLA-4556-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin May 01, 2026 https://wiki.debian.org/LTS Package : dovecot Version : 1:2.3.13+dfsg1-2+deb11u3 CVE ID : CVE-2025-59031 CVE-2025-59032 CVE-2026-0394 CVE-2026-27855 CVE-2026-27856...

AstrBot 安全漏洞

AstrBot is an open-source multi-platform LLM chatbot and development framework created by AstrBot. Versions of AstrBot 4.16.0 and earlier contain security vulnerabilities. These vulnerabilities stem from a hard-coded credential issue in the Dashboard component’s file...

MeTube 访问控制错误漏洞

MeTube is a self-hosted multi-site video download tool developed by Alex. Versions of MeTube prior to 2026.04.09 contained an access control vulnerability. This vulnerability stemmed from a cross-domain policy relaxation issue in the onprepare function of the app/main.py file in the CORS Policy...

CVE-2026-7429 SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output...

Imperva Customers Protected Against CVE-2026-41940 in cPanel & WHM

What is CVE-2026-41940? CVE-2026-41940 is a critical authentication bypass vulnerability affecting cPanel & WHM, including DNSOnly, in versions after 11.40. The flaw, discovered by WatchTowr Labs, exists in the login flow and allows unauthenticated remote attackers to gain unauthorized access to...

U-SPEED N300 安全漏洞

The U-SPEED N300 is a wireless router device produced by the U-SPEED company. The U-SPEED N300 V1.0.0 version has a security vulnerability. This vulnerability stems from the lack of rate limiting or account locking protection in the /api/login endpoint. As a result, local network attackers may...