Lucene search
K

20 matches found

The Hacker News
The Hacker News
added 2026/03/26 11:45 a.m.8 views

ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories

Some weeks in security feel loud. This one feels sneaky. Less big dramatic fireworks, more of that slow creeping sense that too many people are getting way too comfortable abusing things they probably shouldn’t even be touching. There’s a little bit of everything in this one, too. Weird delivery...

6.2AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.12 views

PT-2026-28099

What are the limits of AI-assisted vulnerability hunting? I obtained 23 CVEs in one month. BentoML 8.2k CVE-2026-27905 HIGH SillyTavern 24.6k CVE-2026-26286 HIGH Plane 28.2k CVE-2026-27705 MEDIUM NocoDB 46.4k CVE-2026-28399 MEDIUM Mautic 8.4k CVE-2026-3105 HIGH File Browser 27.9k CVE-2026-28492...

9.8CVSS5.8AI score0.00651EPSS
Exploits12References1
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.8 views

PT-2026-28104

Name of the Vulnerable Software and Affected Versions LibreChat versions prior to 0.8.3-rc1 Description An Insecure Direct Object Reference IDOR exists in the 'PUT /api/keys' endpoint. Due to the use of the JavaScript object spread operator after setting the authenticated user's ID, an...

7.1CVSS5.8AI score0.00206EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.6 views

PT-2026-28103

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str eval function in notification handler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co names of the...

7.5CVSS5.8AI score0.00476EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.4 views

PT-2026-28105

Name of the Vulnerable Software and Affected Versions Typebot versions prior to 3.16.0 Description Unauthenticated users can achieve Server-Side Request Forgery SSRF by providing a custom typebot definition containing server-side code blocks. The issue exists because the fetch function within the...

10CVSS5.9AI score0.00347EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.4 views

PT-2026-28098

Name of the Vulnerable Software and Affected Versions Gotenberg versions prior to 8.29.0 Description Gotenberg, an API for converting document formats, contains a flaw related to URL scheme handling. A previously implemented fix for CVE-2024-21527 could be bypassed by utilizing mixed-case or...

8.8CVSS6AI score0.00538EPSS
Exploits1References51
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.11 views

PT-2026-28100

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, the four date filter parameters f min date available, f max date available, f min date created, f max date created in ws std image sql filter are concatenated directly into SQL without any escaping or type...

8.7CVSS7.1AI score0.00651EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/03/25 12:0 a.m.15 views

PT-2026-28097

What are the limits of AI-assisted vulnerability hunting? I obtained 23 CVEs in one month. BentoML 8.2k CVE-2026-27905 HIGH SillyTavern 24.6k CVE-2026-26286 HIGH Plane 28.2k CVE-2026-27705 MEDIUM NocoDB 46.4k CVE-2026-28399 MEDIUM Mautic 8.4k CVE-2026-3105 HIGH File Browser 27.9k CVE-2026-28492...

9.8CVSS5.8AI score0.00651EPSS
Exploits12References1
Talos Blog
Talos Blog
added 2025/04/29 9:47 a.m.14 views

Year in Review: AI based threats

2024 wasn't the year that AI rewrote the cybercrime playbook -- but it did turbocharge some of the old tricks. In Cisco Talos' 2024 Year in Review, with the help of our friends at Robust Intelligence now a Cisco company, we dissect how cybercriminals used generative AI to scale up social...

7.1AI score
Exploits0
Kitploit
Kitploit
added 2020/12/23 11:30 a.m.52 views

Kenzer - Automated Web Assets Enumeration And Scanning

Automated Web Assets Enumeration & Scanning Instructions for running 1. Create an account on Zulip 2. Navigate to Settings Your Bots Add a new bot 3. Create a new generic bot named kenzer 4. Add all the configurations in configs/kenzer.conf 5. Install/Run using - ./install.sh -b if you need...

7.3AI score
Exploits0References1
MSRC
MSRC
added 2019/11/06 8:12 p.m.53 views

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

1AI score
Exploits0
MSRC
MSRC
added 2019/11/06 8:0 a.m.13 views

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

6.5AI score
Exploits0
MSRC
MSRC
added 2019/11/06 8:0 a.m.15 views

Vulnerability hunting with Semmle QL: DOM XSS

In two previous blog posts part 1 and part 2, we talked about using Semmle QL in C and C++ codebases to find vulnerabilities such as integer overflow, path traversal, and those leading to memory corruption. In this post, we will explore applying Semmle QL to web security by hunting for one of­­­...

1.3AI score
Exploits0
MSRC
MSRC
added 2019/03/19 7:0 a.m.10 views

Vulnerability hunting with Semmle QL, part 2

The first part of this series introduced Semmle QL, and how the Microsoft Security Response Center MSRC are using it to investigate variants of vulnerabilities reported to us. This post discusses an example of how we’ve been using it proactively, covering a security audit of an Azure firmware...

2.8AI score
Exploits0
Malwarebytes
Malwarebytes
added 2019/02/20 4:0 p.m.88 views

Good bots, bad bots: friend or foe?

One of the most talked about technologies online today is the ubiquitous bot. Simultaneously elusive yet also responsible for all of civilisation’s woes, bots are a hot topic of contention. If we went purely by news reports, we’d assume all bots everywhere are evil, and out to get us or just...

6.6AI score
Exploits0
MSRC
MSRC
added 2018/08/16 7:0 a.m.24 views

Vulnerability hunting with Semmle QL, part 1

Previously on this blog, we’ve talked about how MSRC automates the root cause analysis of vulnerabilities reported and found. After doing this, our next step is variant analysis: finding and investigating any variants of the vulnerability. It’s important that we find all such variants and patch...

0.7AI score
Exploits0
n0where
n0where
added 2018/03/22 6:22 a.m.171 views

The Firmware Analysis and Comparison Tool: FACT

The Firmware Analysis and Comparison Tool formerly known as Fraunhofer’s Firmware Analysis Framework FAF is intended to automate most of the firmware analysis process. It unpacks arbitrary firmware files and processes several analysis. Additionally, it can compare several images or single files...

0.7AI score
Exploits0References2
The Hacker News
The Hacker News
added 2017/09/11 11:50 p.m.115 views

Apache Struts 2 Flaws Affect Multiple Cisco Products

After Equifax massive data breach that was believed to be caused due to a vulnerability in Apache Struts, Cisco has initiated an investigation into its products that incorporate a version of the popular Apache Struts2 web application framework. Apache Struts is a free, open-source MVC framework f...

10CVSS10AI score0.99999EPSS
Exploits71
The Hacker Blog
The Hacker Blog
added 2016/07/25 4:35 p.m.15 views

Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection

I recently decided to investigate the security of various certificate authority’s online certificate issuing systems. These online issuers allow certificate authorities to verify that someone owns a specific domain, such as thehackerblog.com and get a signed certificate so they can enable SSL/TLS...

7.2AI score
Exploits0
ThreatPost
ThreatPost
added 2015/04/22 12:6 p.m.10 views

'Fully Secure Systems Don't Exist'

SAN FRANCISCO–The more things change, the more they stay the same. Thirty years ago, Adi Shamir, one of the inventors of the RSA algorithm, was asked to do a keynote speech at a conference and spoke about his laws of computer security. They were a set of principles that he developed over the year...

0.1AI score
Exploits0
Rows per page
Query Builder