VMware Spring AI 安全漏洞

VMware Spring AI is a development framework created by VMware Corporation in the Spring ecosystem, which integrates artificial intelligence and large language model capabilities. VMware Spring AI has a security vulnerability. This vulnerability allows malicious users to manipulate the behavior of...

When LLMs Team Up: A Coordinated Attack Framework for Automated Cyber Intrusions

Automated intrusion-style workflows require LLM agents to reason over partial observations, tool outputs, and executable artifacts under bounded budgets. A single LLM instance often compresses evidence extraction, planning, execution, and validation into one context, which increases the risk of...

Iterative Audit Convergence in LLM-Managed Multi-Agent Systems: A Case Study in Prompt Engineering Quality Assurance

Prompt specifications for multi-agent large language model LLM systems carry data contracts and integration logic across many interdependent files but are rarely subjected to structured-inspection rigor. This paper reports a single-system empirical case study of iterative, agent-driven auditing...

PT-2026-30585

The setup: 4 agents chain off each other in a loop, each reacting to the previous response. Dominus — finds a new vulnerability angle from the CISA KEV catalog Axiom — adds one new technical detail to the finding Cipher — identifies one specific flaw in the previous argument Vector — names one...

Integer Overflow

bcrypt-ruby is vulnerable to Integer Overflow. The vulnerability is due to an integer overflow in the Java BCrypt implementation for JRuby, where the key-strengthening round count is computed as a signed 32-bit integer, and when cost=31, signed integer overflow causes the round count to become...

Use of Password Hash With Insufficient Computational Effort

Overview flowise is a Flowiseai Server Affected versions of this package are vulnerable to Use of Password Hash With Insufficient Computational Effort due to the use of insufficient bcrypt salt rounds in the getHash function. An attacker can significantly reduce the time required to crack passwor...

GHSA-X2G5-FVC2-GQVP Flowise has Insufficient Password Salt Rounds

Description The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security. Affected Code export function getHashvalue: string const salt = bcrypt.genSaltSyncparseIntprocess.env.PASSWORDSALTHASHROUNDS || '5' return bcrypt.hashSyncvalue, salt Evidence Using 5 salt...

Flowise has Insufficient Password Salt Rounds

Description The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security. Affected Code export function getHashvalue: string const salt = bcrypt.genSaltSyncparseIntprocess.env.PASSWORDSALTHASHROUNDS || '5' return bcrypt.hashSyncvalue, salt Evidence Using 5 salt...

CVE-2025-66017

CVE-2025-66017 affects the CGGMP family (CGGMP21 and CGGMP24). The vulnerability arises from improper use of presignatures in specific configurations, allowing signature forgery or reduced security. Affected details indicate that in CGGMP21 <= 0.6.3 and CGGMP24

EUVD-2025-199640

CGGMP24 is a state-of-art ECDSA TSS protocol that supports 1-round signing requires 3 preprocessing rounds, identifiable abort, and a key refresh protocol. In versions 0.6.3 and prior of cggmp21 and version 0.7.0-alpha.1 of cggmp24, presignatures can be used in the way that significantly reduces...

The Ultimate Battle: Enterprise Browsers vs. Secure Browser Extensions

Most security tools can't see what happens inside the browser, but that's where the majority of work, and risk, now lives. Security leaders deciding how to close that gap often face a choice: deploy a dedicated Enterprise Browser or add an enterprise-grade control layer to the browsers employees...

An Improved ChaCha Algorithm Based on Quantum Random Number

Due to the merits of high efficiency and strong security against timing and side-channel attacks, ChaCha has been widely applied in real-time communication and data streaming scenarios. However, with the rapid development of AI-assisted cryptanalysis and quantum computing technologies, there are...

Differential Privacy Analysis of Decentralized Gossip Averaging under Varying Threat Models

Fully decentralized training of machine learning models offers significant advantages in scalability, robustness, and fault tolerance. However, achieving differential privacy DP in such settings is challenging due to the absence of a central aggregator and varying trust assumptions among nodes. I...

Neural-Inspired Advances in Integral Cryptanalysis

The study by Gohr et.al at CRYPTO 2019 and sunsequent related works have shown that neural networks can uncover previously unused features, offering novel insights into cryptanalysis. Motivated by these findings, we employ neural networks to learn features specifically related to integral...

Post-Quantum Secure Decentralized Random Number Generation Protocol with Two Rounds of Communication in the Standard Model

Randomness plays a vital role in numerous applications, including simulation, cryptography, distributed systems, and gaming. Consequently, extensive research has been conducted to generate randomness. One such method is to design a decentralized random number generator DRNG, a protocol that enabl...

GHSA-CW2R-4P82-QV79 DoS with algorithms that use PBKDF2 due to unbounded PBES2 Count value

Impact Denial of Service, Applications that allow the use of the PBKDF2 algorithm. Patches A patch is available that sets the maximum number of default rounds. Workarounds Applications that do not need to use PBKDF2 should simply specify the algorithms use and exclude it from the list. Applicatio...

PT-2023-32738

Name of the Vulnerable Software and Affected Versions JWCrypto affected versions not specified Description A flaw was found in JWCrypto, allowing an attacker to cause a denial of service DoS attack and making password brute-force and dictionary attacks more resource-intensive. This issue results ...

bonding on behalf of a new delegator sets the start round to the current round + 1, but the assumed future round may never actually start if rounds get stuck

Lines of code Vulnerability details Impact • If rounds get stuck and currentRound + 1 never happens, the new delegator will never be able to claim earnings. Their startRound will be set to a future round that doesn't exist. • This prevents them from claiming earnings accrued from their staked...

Security Bulletin: Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs

Summary There is a vulnerability in Spring Security that could allow a local authenticated attacker launch further attacks on the system. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details...

springframework: BCrypt skips salt rounds for work factor of 31

A flaw was found in Spring Framework. The encoder does not perform any salt rounds when using the BCrypt class with the maximum work factor 31 due to an integer overflow error...