253 matches found
CVE-2026-48783
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The...
PT-2026-50122
Postiz is an AI social media scheduling tool. Versions prior to 2.21.8 contained an unauthenticated endpoint that accepted a signed token and applied subscription-enforcement side effects to the organization referenced in that token's claims, without verifying the token's intended purpose. The...
The Emergence of Autonomous Penetration Capabilities in Large Language Model-Powered AI Systems
Nowadays, the autonomous execution of cyberattacks capable of causing substantial real-world harm is widely regarded as one of the critical red lines that frontier AI systems must not cross. Within this broader red-line scenario, autonomous penetration represents a core enabling capability and...
GHSA-2MXR-P26X-MJ73 @hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
Affected: @hulumi/baseline 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-1059 Insufficient Technical Documentation / Behavioral Inconsistency Summary The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with...
@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened
Affected: @hulumi/baseline 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-1059 Insufficient Technical Documentation / Behavioral Inconsistency Summary The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with...
PT-2026-48477
Affected: @hulumi/baseline 1.4.0 — Fixed in: 1.4.0 — Severity: High — CWE-1059 Insufficient Technical Documentation / Behavioral Inconsistency Summary The S3 bucket that AccountFoundation creates to receive CloudTrail and AWS Config audit logs is meant to be tamper-resistant — if someone with...
AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload
Phishing has always been a numbers game. AI has turned it into a volume machine. Attackers can now create convincing emails, fake login pages, and tailored lures in minutes. Every polished message adds another case for Tier 1 to review, another link to inspect, and another alert that cannot be...
CVE-2026-38703
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target...
CVE-2026-38703
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target...
CVE-2026-38703
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target...
On the Security of Research Artifacts
Research artifacts are widely shared to support reproducibility, and artifact evaluation AE has become common at many leading conferences. However, AE mainly checks whether artifacts work as claimed and can be reproduced. It largely overlooks potential security risks. Since these artifacts are...
Root-Cause-Driven Automated Vulnerability Repair
Recent LLM-based systems have made automated vulnerability repair increasingly practical, but two challenges remain. First, without strong signals about where a bug originates, repair agents drift toward shallow edits that silence the observed failure while leaving the underlying defect unresolve...
hunter-max-oss
hunter-max A bug-bounty research framework. Two pieces: 1...
Roblox clamps down on chats and age checks as legal pressure builds
Roblox has long faced criticism over child safety on its platform. Now it has started settling with state attorneys over the issue, and the total is climbing fast. On April 21, Alabama Attorney General Steve Marshall announced a $12.2 million settlement with the child-focused online gaming...
MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks
Model Context Protocol MCP is increasingly adopted for tool-integrated LLM agents, but its multi-layer design and third-party server ecosystem expand risks across tool metadata, untrusted outputs, cross-tool flows, multimodal inputs, and supply-chain vectors. Existing MCP benchmarks largely measu...
[SECURITY] Fedora 44 Update: kf6-sonnet-6.25.0-1.fc44
KDE Frameworks 6 Tier 1 solution for spell checking...
[SECURITY] Fedora 44 Update: kf6-kparts-6.25.0-1.fc44
KDE Frameworks 6 Tier 3 solution for KParts...
[SECURITY] Fedora 44 Update: kf6-kjobwidgets-6.25.0-1.fc44
KDE Frameworks 6 Tier 2 addon for KJobs...
[SECURITY] Fedora 44 Update: kf6-knotifyconfig-6.25.0-1.fc44
KDE Frameworks 6 Tier 3 module for KNotify configuration...
[SECURITY] Fedora 44 Update: kf6-kiconthemes-6.25.0-1.fc44
KDE Frameworks 6 Tier 3 integration module with icon themes...