{"locale":"zh","total":10,"articles":[{"title":"CVE-2026-41089：Windows Netlogon RCE 已遭在野利用","digest":"CVE-2026-41089 是 Windows Netlogon 中的关键远程代码执行漏洞，Microsoft CNA 给出 CVSS 9.8，CCB 已确认其正在被在野利用。","content_source_url":"https://zcybernews.com/zh/articles/2026-06-01-cve-2026-41089-windows-netlogon-rce-actively-exploited","author":"ZCyberNews","date":"2026-06-01","category":"vulnerabilities","tags":["cve-2026-41089","windows-netlogon","microsoft","remote-code-execution","active-exploitation","domain-controllers"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-9082: Drupal 核心 SQL 注入漏洞被添加到 CISA KEV","digest":"CISA 在其已知被利用漏洞目录中添加了 CVE-2026-9082（CVSS 6.5），在发现针对所有支持的 Drupal 核心版本的积极利用证据后。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-23-cve-2026-9082-drupal-core-sql-injection-bug-added-to-cisa-kev","author":"ZCyberNews","date":"2026-05-23","category":"vulnerabilities","tags":["cve-2026-9082","drupal","sql-injection","cisa-kev","active-exploitation","patch-guidance"],"severity":"medium","threat_actor":null},{"title":"CVE-2026-20223 (CVSS 10): 思科安全未认证API访问","digest":"CVE-2026-20223 (CVSS 10.0): 未经认证的攻击者可以访问思科安全工作负载中的内部REST API，并具有站点管理员权限。无需认证。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-21-cve-2026-20223-cvss-10-unauthenticated-api-access-in-cisco-secure","author":"ZCyberNews","date":"2026-05-21","category":"vulnerabilities","tags":["cve-2026-20223","cisco-secure-workload","api-vulnerability","rce","authentication-bypass"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-2586: GlassFish 管理控制台中的认证 RCE","digest":"CVE-2026-2586（CVSS 9.1）允许经过认证的用户通过向 GlassFish 的管理控制台发送精心制作的请求来执行任意操作系统命令。截至5月20日，尚无补丁可用。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-20-cve-2026-2586-authenticated-rce-in-glassfish-admin-console","author":"ZCyberNews","date":"2026-05-20","category":"vulnerabilities","tags":["cve-2026-2586","glassfish","rce","authenticated","admin-console"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-8957: Mozilla 修补企业中权限提升漏洞","digest":"CVE-2026-8957 (CVSS 6.5) 允许在 Firefox 的企业策略组件中进行权限提升。Mozilla 在 Firefox 151 和 ESR 140.11 中修复了这个问题。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-20-cve-2026-8957-mozilla-patches-privilege-escalation-in-enterprise","author":"ZCyberNews","date":"2026-05-20","category":"vulnerabilities","tags":["cve-2026-8957","mozilla-firefox","privilege-escalation","enterprise-policies","firefox-esr","thunderbird"],"severity":"medium","threat_actor":null},{"title":"CVE-2026-8959: Firefox 沙箱逃逸通过 Win32 边界缺陷","digest":"CVE-2026-8959 (CVSS 9.6) 允许通过 Firefox 的 Widget:Win32 组件中不正确的边界条件进行沙箱逃逸。在 Firefox 151、ESR 140.11 和 Thunderbird 151 中修复。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-20-cve-2026-8959-firefox-sandbox-escape-via-win32-boundary-flaw","author":"ZCyberNews","date":"2026-05-20","category":"vulnerabilities","tags":["cve-2026-8959","firefox","mozilla","sandbox-escape","win32","browser-security","patch-guidance"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-4883: Piotnet Forms 插件通过 Phar 上传实现 RCE","digest":"CVE-2026-4883 (CVSS 9.8) 在 Piotnet Forms ≤2.1.40 中允许未经身份验证的攻击者通过不完整的扩展黑名单上传 .phar 或 .phtml 文件，从而实现远程代码执行。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-19-cve-2026-4883-piotnet-forms-plugin-rce-via-phar-upload","author":"ZCyberNews","date":"2026-05-19","category":"vulnerabilities","tags":["wordpress","piotnet-forms","cve-2026-4883","arbitrary-file-upload","rce","phar"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-45230: 未认证路径遍历漏洞使DumbAssets易受攻击","digest":"CVE-2026-45230 (CVSS 9.1) 在 DumbAssets 1.0.11 及之前版本中允许未经认证的攻击者通过 POST /api/delete-file 端点的路径遍历删除任意文件。","content_source_url":"https://zcybernews.com/zh/articles/2026-05-18-cve-2026-45230-unauthenticated-path-traversal-in-dumbassets-lets","author":"ZCyberNews","date":"2026-05-18","category":"vulnerabilities","tags":["cve-2026-45230","dumbassets","path-traversal","arbitrary-file-deletion","unauthenticated","cvss-9.1"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-7301: SGLang 调度器通过 Pickle 反序列化 RCE","digest":"CVE-2026-7301 (CVSS 9.8) 允许攻击者通过向调度器的 ROUTER 套接字发送恶意 pickle 负载来在 SGLang 服务器上执行任意代码，该套接字绑定到 0.0.0.0...","content_source_url":"https://zcybernews.com/zh/articles/2026-05-18-cve-2026-7301-sglang-scheduler-rce-via-pickle-deserialization","author":"ZCyberNews","date":"2026-05-18","category":"vulnerabilities","tags":["cve-2026-7301","sglang","pickle-deserialization","rce","ai-infrastructure","patch-guidance"],"severity":"critical","threat_actor":null},{"title":"CVE-2026-8836: CVSS 10.0 lwIP SNMPv3 解析器中的栈溢出","digest":"CVE-2026-8836 是一个 CVSS 10.0 基于栈的缓冲区溢出漏洞，存在于 lwIP 2.2.1 及之前的 SNMPv3 USM 处理器中。远程未经身份验证的攻击者可以通过精心构造的...","content_source_url":"https://zcybernews.com/zh/articles/2026-05-18-cve-2026-8836-cvss-10-0-stack-overflow-in-lwip-snmpv3-parser","author":"ZCyberNews","date":"2026-05-18","category":"vulnerabilities","tags":["lwip","cve-2026-8836","snmpv3","stack-buffer-overflow","embedded","remote-code-execution"],"severity":"critical","threat_actor":null}]}