ZCyberNews
中文

Articles

432 articles

GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git PushHIGH
Vulnerabilities

GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push

CVE-2026-3854 (CVSS 8.7) lets authenticated users with push access achieve remote code execution on GitHub.com and GitHub Enterprise Server via a crafted git push command.

CVE-2026-3854
4 min read
Oracle VirtualBox Race Condition Lets Attackers Escalate PrivilegesHIGH
Vulnerabilities

Oracle VirtualBox Race Condition Lets Attackers Escalate Privileges

CVE-2026-35230: A race condition in VirtualBox's SoundBlaster 16 emulation allows local attackers with high-privileged guest access to escalate privileges. CVSS 7.5.

CVE-2026-35230
3 min read
Project Zero Dusts Off 2017 VirtualBox Escape Draft WithHIGH
Industry News

Project Zero Dusts Off 2017 VirtualBox Escape Draft With

Google Project Zero published a 2017 draft detailing CVE-2017-3558, a VirtualBox VM escape allowing host userspace compromise. No new exploit code released.

CVE-2017-3558
2 min read
SAP npm Packages Hijacked in Credential-Stealing Supply Chain AttackCRITICAL
Malware

SAP npm Packages Hijacked in Credential-Stealing Supply Chain Attack

Attackers compromised multiple SAP-related npm packages to deploy credential-stealing malware, targeting SAP BTP and cloud app credentials. Campaign dubbed mini Shai-Hulud.

3 min readmini Shai-Hulud
Swiss Police Arrest 10 Suspected Black Axe Cybercrime MembersHIGH
Industry News

Swiss Police Arrest 10 Suspected Black Axe Cybercrime Members

Swiss and German police arrested 10 suspects tied to the Nigeria-linked Black Axe network, including a regional leader overseeing Southern Europe operations.

2 min readBlack Axe
Zero-Window Era: NDR Playbooks for Post-Mythos ExploitsHIGH
Industry News

Zero-Window Era: NDR Playbooks for Post-Mythos Exploits

Claude Mythos and Project Glasswing shrink exploit windows to near-zero. The Hacker News details NDR playbooks to contain AI-driven attacks before patching is possible.

2 min readClaude Mythos
Cyber Command, NSA Chief Warns Foreign Adversaries Will Target USHIGH
Industry News

Cyber Command, NSA Chief Warns Foreign Adversaries Will Target US

Gen. Joshua Rudd told lawmakers foreign adversaries are likely to target the 2026 US midterm elections; Cyber Command is postured to safeguard the vote.

2 min read
Flowise Auth Bypass CVE-2026-41276 Lets Attackers Reset PasswordsHIGH
Vulnerabilities

Flowise Auth Bypass CVE-2026-41276 Lets Attackers Reset Passwords

CVE-2026-41276 (CVSS 8.1) in Flowise AccountService resetPassword lets unauthenticated attackers bypass authentication. ZDI advisory warns no auth required.

CVE-2026-41276
2 min read
Foxit PDF Reader CVE-2026-5943 Use-After-Free RCE Exploited viaHIGH
Vulnerabilities

Foxit PDF Reader CVE-2026-5943 Use-After-Free RCE Exploited via

CVE-2026-5943: A use-after-free in Foxit PDF Reader's AcroForm annotation handling allows unauthenticated RCE (CVSS 7.8). Requires user to open a malicious PDF.

CVE-2026-5943
3 min read
Foxit PDF Reader Use-After-Free Leaks Memory via AcroForm SignaturesLOW
Vulnerabilities

Foxit PDF Reader Use-After-Free Leaks Memory via AcroForm Signatures

CVE-2026-5942: A use-after-free in Foxit PDF Reader's AcroForm signature handling lets attackers read process memory. CVSS 3.3. User must open a malicious file.

CVE-2026-5942
2 min read
Google Project Zero Details macOS coreaudiod Exploit ChainHIGH
Vulnerabilities

Google Project Zero Details macOS coreaudiod Exploit Chain

Google Project Zero published exploit details for CVE-2024-54529, a type confusion in macOS coreaudiod allowing sandbox escape via knowledge-driven fuzzing.

CVE-2024-54529CVE-2025-31235
3 min read
LiteLLM CVE-2026-42208 Pre-Auth SQLi Exploited in AttacksCRITICAL
Vulnerabilities

LiteLLM CVE-2026-42208 Pre-Auth SQLi Exploited in Attacks

Attackers exploit CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM LLM gateway, to steal API keys and model data. CVSS 9.8. No patch yet.

CVE-2026-42208
3 min read
← PrevPage 19 of 36Next →