CVE-2026-8888 CVE-2026-8888

Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in...

CVE-2026-8888

CVE-2026-8888 affects the Securly Chrome Extension, version 3.0.7. It downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation, enabling an on-path attacker to inject patterns that cause catastrophic bac...

CVE-2026-8888

Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in...

Wardriving assessment across Mexico: Preparing for the 2026 World Cup

Introduction Mexico is one of the host countries for the 2026 FIFA World Cup, with matches to be played in three major cities: Mexico City, Monterrey, and Guadalajara. These locations are expected to see a large influx of international visitors, increasing the potential security risks. Many of...

Malicious code in @customer-threesixty/assets (npm)

Dependency confusion attack campaign targeting Scandinavian telecommunications and digital services organizations Telenor, Ownit, Vimla, and Customer 360 / C360. Four packages published by the debating0166 npm account use inflated version numbers 99.0.x to win npm registry resolution over private...

Espanso 2.3.0 Configuration Security Auditor

This Python script implements a security auditing tool for Espanso configuration files. The EspansoSecurityAuditor class scans Espanso match configurations for potentially dangerous shell commands, insecure permissions, and suspicious execution patterns that could indicate malicious automation or...

MaskForge: Structure-Aware Adaptive Attacks for Jailbreaking Diffusion Large Language Models

Diffusion large language models dLLMs generate text by iteratively denoising partially masked sequences under bidirectional context, exposing a safety surface distinct from autoregressive LLMs. Because mask tokens are native inputs and tokens are committed by confidence rather than position,...

Security Bulletin: There is a vulnerability in minimatch-3.0.5.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-27903, CVE-2026-27904)

Summary There is a vulnerability in minimatch-3.0.5.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-27903 DESCRIPTION: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to...

Improper Handling of Case Sensitivity

Overview tuf is a secure updater framework for Python. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to platform-dependent behavior in the DelegatedRole.istargetinpathpattern function. An attacker can bypass intended access restrictions by exploitin...

YARA-X 1.17.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

CVE-2026-48147

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. Th...

EUVD-2026-32606

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. Th...

Technical Report: Exploring the Emerging Threats of the Agent Skill Ecosystem

We analyzed 3,984 AI agent skills from major marketplaces and found 76 confirmed malicious payloads, including credential theft, backdoor installation, and data exfiltration. 13.4% of all skills contain at least one critical-level security issue and at least 8 manually confirmed malicious skills...

Budibase 安全漏洞

Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.35.4 contained security vulnerabilities. These vulnerabilities stemmed from the fact...

PT-2026-44058

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.35.4 Description The buildMatcherRegex and matches functions in packages/backend-core/src/middleware/matchers.ts compile route patterns into unanchored regular expressions and test them against ctx.request.url, whi...

CVE-2026-9353

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skillsguard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREATPATTERNS leads to injection. Remote exploitatio...

CVE-2026-24527

Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0...

CVE-2026-24527

Missing Authorization vulnerability in Patterns in the cloud Autoship Cloud for WooCommerce Subscription Products allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through 2.14.0...

CVE-2026-9353

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skillsguard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREATPATTERNS leads to injection. Remote exploitatio...

CVE-2026-9353

A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skillsguard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREATPATTERNS leads to injection. Remote exploitatio...