我当黑客那几年(AiRedTeam) (Page 20)

CVE-2026-44331 (CVSS 8.1) - In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqlta

📡 NVD-Latest · 2026-05-05 CVE-2026-44331 (CVSS 8.1) - In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqlta CVE-2026-44331 CVE-2026-44331 CVSS:8.1 In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows

安全情报

CVE-2026-7856 (CVSS 7.2) - A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part

📡 NVD-Latest · 2026-05-05 CVE-2026-7856 (CVSS 7.2) - A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part CVE-2026-7856 CVE-2026-7856 CVSS:7.2 A flaw has been found in D-Link DI-8100 16.07.26A1. This affects an unknown part of the file /url_member.asp

安全情报

CVE-2026-7332 (CVSS 7.2) - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for W

📡 NVD-Latest · 2026-05-06 CVE-2026-7332 (CVSS 7.2) - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for W CVE-2026-7332 CVE-2026-7332 CVSS:7.2 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url'

安全情报

CVE-2026-7448 (CVSS 7.2) - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for W

📡 NVD-Latest · 2026-05-06 CVE-2026-7448 (CVSS 7.2) - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for W CVE-2026-7448 CVE-2026-7448 CVSS:7.2 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in

安全情报

CVE-2026-7841 (CVSS 8.8) - A remote code execution vulnerability exists in Notification Settings on GeoVisi

📡 NVD-Latest · 2026-05-06 CVE-2026-7841 (CVSS 8.8) - A remote code execution vulnerability exists in Notification Settings on GeoVisi CVE-2026-7841 CVE-2026-7841 CVSS:8.8 A remote code execution vulnerability exists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated user with System Setting permissions can execute arbitrary commands on

安全情报

CVE-2026-1719 (CVSS 7.5) - The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection

📡 NVD-Latest · 2026-05-06 CVE-2026-1719 (CVSS 7.5) - The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection CVE-2026-1719 CVE-2026-1719 CVSS:7.5 The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping

漏洞分析

[remote] telnetd 2.7 - Buffer Overflow

CVE-2026-32746 GNU InetUtils telnetd 2.7 之前版本的 SLC 处理函数存在堆栈缓冲区溢出，可导致预认证远程代码执行。 Critical · CVSS 9.8 📋 漏洞基础信息 CVECVE-2026-32746漏洞类型堆栈缓冲区溢出受影响版本GNU InetUtils telnetd 2.7 及之前版本（inetutils-telnetd）危害等级Critical · CVSS 9.8发布日期2026-05-07提交者Jeff Barron (jeffaf)来源Exploit-DB 原文 ↗ 🔬 漏洞根因在 telnetd/slc.c 的 add_slc() 函数中，向一个固定的 108 字节缓冲区 slcbuf 追加每个 SLC 三元组的 3 字节数据时，未进行边界检查，导致超过

漏洞分析

[webapps] Ghost CMS 6.19.0 - SQLi

CVE-2026-26980 Ghost CMS 6.19.0及更早版本Content API存在未经认证的布尔盲SQL注入，可提取数据库敏感数据。 Critical · CVSS 9.1 📋 漏洞基础信息 CVECVE-2026-26980漏洞类型SQL注入（布尔盲注）受影响版本Ghost CMS >=3.24.0, <=6.19.0危害等级Critical · CVSS 9.1发布日期2026-05-07提交者Maksim Rogov来源Exploit-DB 原文 ↗ 🔬 漏洞根因 Ghost CMS的Content API中tags端点filter参数未正确过滤用户输入。攻击者通过构造特殊的slug过滤条件，在CASE WHEN语句中注入恶意SQL条件，结合数据库错误函数（如SQLite的abs(-9223372036854775808)或MySQL的exp(710)）触发错误，通过观察服务端返回的"InternalServerError"或"badrequesterror&

漏洞分析

[webapps] LuaJIT 2.1.1774638290 - Arbitrary Code Execution

未分配CVE LuaJIT FFI未禁用导致任意代码执行 Critical · CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8) 📋 漏洞基础信息 CVE未分配CVE漏洞类型沙箱逃逸/任意代码执行受影响版本LuaJIT 2.1.1774638290（及FFI未禁用的所有2.1.x版本）危害等级Critical · CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/

漏洞分析

[webapps] Bludit CMS 3.18.4 - RCE

CVE-2026-25099 Bludit CMS API插件未限制上传文件类型导致认证用户RCE Critical · CVSS 9.1 📋 漏洞基础信息 CVECVE-2026-25099漏洞类型未限制文件上传受影响版本Bludit CMS < 3.18.4危害等级Critical · CVSS 9.1发布日期2026-05-07提交者Yahia Hamza (https://yh.do)来源Exploit-DB 原文 ↗ 🔬 漏洞根因 Bludit CMS API插件的uploadFile()函数未对上传文件的扩展名和内容进行任何验证，允许通过POST /api/files/<page-key>上传任意类型的文件，包括PHP webshell。 🎯 攻击场景前置条件：拥有有效的API token（可通过管理员面板获取或通过配置错误/日志泄露获得）。步骤：1. 通过GET /api/pages获取一个有效页面key；2.

漏洞分析

[local] NocoBase 2.0.27 - VM Sandbox Escape

CVE-2026-34156 NocoBase工作流脚本节点未正确隔离VM沙箱console对象，导致沙箱逃逸实现RCE。 Critical · CVSS 9.9 📋 漏洞基础信息 CVECVE-2026-34156漏洞类型沙箱逃逸RCE受影响版本NocoBase <= 2.0.27危害等级Critical · CVSS 9.9发布日期2026-05-07提交者Onurcan Genç来源Exploit-DB 原文 ↗ 🔬 漏洞根因 NocoBase在Workflow Script Node中执行用户提供的JavaScript时，虽使用Node.js vm沙箱及自定义require白名单限制模块加载，但传递给沙箱的console对象关联了宿主环境的WritableWorkerStdio流（console._stdout / console._stderr）。攻击者可通过原型链(console._stdout.constructor.constructor)获取宿主环境的Function构造函数，进而访问process对象并调用proces

漏洞分析

[webapps] ThingsBoard IoT Platform 4.2.0 - Server-Side Request Forgery (SSRF)

CVE-2025-34282 ThingsBoard 4.2.0图片上传功能因服务端处理SVG中的外部URL引用导致SSRF漏洞。 High · CVSS 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) 📋 漏洞基础信息 CVECVE-2025-34282漏洞类型Server-Side Request Forgery (SSRF)受影响版本ThingsBoard < 4.2.1危害等级High · CVSS 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/

安全情报

CVE-2026-42877 - FacturaScripts vulnerable to stored XSS via product reference in sales/purchases

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42877 - FacturaScripts vulnerable to stored XSS via product reference in sales/purchases CVE-2026-42877 GHSA-r736-2678-fcrx MEDIUM composer/facturascripts/facturascripts CVE: CVE-2026-42877 Summary A stored Cross-Site Scripting (XSS) vulnerability exists in the product search modal of sales and purchases documents. An authenticated user with access to the warehouse module

安全情报

CVE-2026-27964 - FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Man

📡 GitHub-Advisory · 2026-05-07 CVE-2026-27964 - FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Man CVE-2026-27964 GHSA-gq5c-rw37-g46c LOW composer/facturascripts/facturascripts CVE: CVE-2026-27964 Summary A Reflected Cross-Site Scripting (XSS) vulnerability exists in the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. Details

安全情报

CVE-2026-27891 - FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin

📡 GitHub-Advisory · 2026-05-07 CVE-2026-27891 - FacturaScripts Vulnerable to Remote Code Execution (RCE) via Zip Slip in Plugin CVE-2026-27891 GHSA-3pgc-xqg9-cfr6 HIGH composer/facturascripts/facturascripts CVE: CVE-2026-27891 Summary A Critical vulnerability exists in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an

安全情报

GHSA-54pg-9963-v8vg - Compromised version of intercom-client published to npm

📡 GitHub-Advisory · 2026-05-07 GHSA-54pg-9963-v8vg - Compromised version of intercom-client published to npm GHSA-54pg-9963-v8vg CRITICAL npm/intercom-client CVE: Impact On April 30, 2026, version 7.0.4 of intercom-client was published to npm using credentials obtained from a compromised developer account. This version was not produced by Intercom's build pipeline.

安全情报

GHSA-gr3r-crp5-qrrm - Compromised tag of intercom-php published via GitHub

📡 GitHub-Advisory · 2026-05-07 GHSA-gr3r-crp5-qrrm - Compromised tag of intercom-php published via GitHub GHSA-gr3r-crp5-qrrm CRITICAL composer/intercom/intercom-php CVE: Impact On April 30, 2026, a malicious commit was pushed to the intercom/intercom-php repository and tagged as version 5.0.2, using a compromised service account (github-management-service). This occurred as part of

安全情报

CVE-2026-42553 - Cinny vulnerable to access token disclosure via invalidated emoji pack avatar UR

📡 GitHub-Advisory · 2026-05-07 CVE-2026-42553 - Cinny vulnerable to access token disclosure via invalidated emoji pack avatar UR CVE-2026-42553 GHSA-j944-w549-3453 HIGH npm/cinny CVE: CVE-2026-42553 Impact A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the

安全情报

CVE-2026-44513 - Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custo

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44513 - Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custo CVE-2026-44513 GHSA-98h9-4798-4q5v HIGH pip/diffusers CVE: CVE-2026-44513 Impact A trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user passing trust_remote_code=False (or omitting it,

安全情报

CVE-2026-44248 - Netty MQTT: Resource exhaustion in MqttDecoder

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44248 - Netty MQTT: Resource exhaustion in MqttDecoder CVE-2026-44248 GHSA-jfg9-48mv-9qgx MEDIUM maven/io.netty:netty-codec-mqtt CVE: CVE-2026-44248 Impact The MQTT 5 header Properties section is parsed and buffered _before_ any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage

安全情报

CVE-2026-44007 - vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44007 - vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and CVE-2026-44007 GHSA-8hg8-63c5-gwmx CRITICAL npm/vm2 CVE: CVE-2026-44007 Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require:

安全情报

CVE-2026-43998 - vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox e

📡 GitHub-Advisory · 2026-05-07 CVE-2026-43998 - vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox e CVE-2026-43998 GHSA-cp6g-6699-wx9c HIGH npm/vm2 CVE: CVE-2026-43998 Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root

安全情报

CVE-2026-44003 - vm2's Transformer Fast-Path Bypass Exposes Internal State Variable

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44003 - vm2's Transformer Fast-Path Bypass Exposes Internal State Variable CVE-2026-44003 GHSA-wp5r-2gw5-m7q7 MEDIUM npm/vm2 CVE: CVE-2026-44003 Summary vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows

安全情报

CVE-2026-44002 - vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44002 - vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak CVE-2026-44002 GHSA-v27g-jcqj-v8rw MEDIUM npm/vm2 CVE: CVE-2026-44002 Summary vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object

安全情报

CVE-2026-44000 - vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary

📡 GitHub-Advisory · 2026-05-07 CVE-2026-44000 - vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary CVE-2026-44000 GHSA-mpf8-4hx2-7cjg MEDIUM npm/vm2 CVE: CVE-2026-44000 Summary A sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host