[MOCK] 这是一个厂商公告的伪摘要: Ivanti Endpoint Manager Mobile代码注入漏洞

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个厂商公告的伪摘要: No Title

[MOCK] 这是一个威胁情报的伪摘要: NSA GRASSMARLIN

[MOCK] 这是一个厂商公告的伪摘要: Citrix NetScaler 内存泄漏(CVE-2025-5777)

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](https://chromereleases.googleblog.com/2026) for more information.

The Stable channel has been updated to 147.0.7727.137/138 for Windows/Mac  and 147.0.7727.137 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the LogSecurity Fixes and RewardsNote: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists

Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this

Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability  tracked as CVE-2026-42208. [...]

In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying

微软 MSRC 发布安全公告，指出此漏洞由 Chrome 团队分配，影响基于 Chromium 的 Microsoft Edge 浏览器。由于 Edge 集成了 Chromium 代码库，该漏洞可能涉及浏览器安全缺陷，例如内存损坏或远程代码执行风险。公告未提供具体 CVE 编号和严重性评级，但建议用户参考 Google Chrome 官方发布说明获取详细信息。攻击者可能通过精心构造的网页触发漏洞，导致浏览器崩溃或潜在代码执行。当前暂无已知在野利用报告。

微软MSRC发布公告指出，Microsoft Edge（基于Chromium）继承了Chromium代码，因此当Google Chrome修复某个漏洞时，Edge也会受到该漏洞影响。此漏洞由Chrome分配CVE编号，但公告中未提供具体的CVE标识符、漏洞类型或技术细节。用户应参考Google Chrome的发布说明以获取更多信息。由于缺乏详细描述，无法确定漏洞的成因、攻击向量或实际影响。建议用户关注Chrome安全更新，并及时升级Edge浏览器。

PLANET VDR-300NU ADSL Router - 未授权修改DNS

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

Acknowledgements

### Impact The output of `cilium-bugtool` can contain sensitive data when the tool is run against Cilium deployments with WireGuard encryption enabled. Users of [WireGuard Transparent Encryption](https://docs.cilium.io/en/stable/security/network/encryption-wireguard/) are affected. The sensitive data is the WireGuard private key (`cilium_wg0.key`) used for node-to-node encrypted communication `

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to th

Firefox browsers

Sign in to Cloud

Sign Up for Free Cloud Tier

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Browser profile creation normalized `cdpUrl` values before persisting them, but did not apply the configured browser SSRF policy at creation time. In deployments that explicitly disabled private-network CDP targets, a stored profile could still point at a priva

Browser Use WebUI 反序列化漏洞

iOS 26.4.2 and iPadOS 26.4.2

iOS 18.7.8 and iPadOS 18.7.8

iOS 18.7.7 and iPadOS 18.7.7

iOS 26.4 and iPadOS 26.4

Background Security Improvements for iOS, iPadOS, and macOS

iOS 16.7.15 and iPadOS 16.7.15

iOS 15.8.7 and iPadOS 15.8.7

iOS 26.3 and iPadOS 26.3

iOS 18.7.5 and iPadOS 18.7.5

iOS 26.2 and iPadOS 26.2

iOS 18.7.3 and iPadOS 18.7.3

Compressor 4.11.1

iOS 18.7.2 and iPadOS 18.7.2

iOS 26.1 and iPadOS 26.1

iOS 26.0.1 and iPadOS 26.0.1

iOS 18.7.1 and iPadOS 18.7.1

iOS 26 and iPadOS 26

iOS 18.7 and iPadOS 18.7

iOS 16.7.12 and iPadOS 16.7.12

iOS 15.8.5 and iPadOS 15.8.5

iOS 18.6.2 and iPadOS 18.6.2

Android Code Search

Android Devices

Secure an Android device

Android 16 QPR2

Mobile network security

MFSA 2026-18Security Vulnerabilities fixed in Focus for iOS 148.2

MFSA 2026-12Security Vulnerabilities fixed in Firefox for iOS 147.4

MFSA 2026-09Security Vulnerabilities fixed in Firefox for iOS 147.2.1

## Summary After a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at `/api/notes/{id}`, `/api/notes/{id}/content`, the slug URL, and the asset endpoints. Unauthenticated callers who hold the note ID or the slug path retain access. GORM's soft-delete scope does not reach the raw `JOIN books ...` clauses used by the note and asset queries. ## Details `DELE

### Impact The HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. ### Patches * https://github.com/WeblateOrg/wlc/pull/1327 ### Workarounds The only vulnerable code path is HTML output which is opt-in. ### References Weblate thanks @fg0x0 for reporting this on GitHub.

    Hi, everyone! We've just released Chrome 147 (147.0.7727.137) for Android. It'll become available on Google Play over the next few days. This release includes stability and performance improvements. You can see a full list of the changes in the Git log. If you find a new issue, please let us know by filing a bug.Android releases contain the same security fixes as their corresponding Desktop re

The Beta channel is being updated to OS version 16640.22.0 (Browser version 148.0.7778.94) for most ChromeOS devices.If you find new issues, please let us know one of the following ways:File a bugVisit our ChromeOS communitiesGeneral: Chromebook Help CommunityBeta Specific: ChromeOS Beta Help CommunityReport an issue or send feedback on ChromeInterested in switching channels? Find out how.Andy WuG

### Summary The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability. ### Details - Introduce a bounded, thread-safe LRU cache for remote endpoints. - Enforce fixed maximum size to prevent unbounded growth. ### Impact - A process using Zipkin

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has

### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the use

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page,

A vulnerability was detected in RemoteClinic up to 2.0. This affects an unknown part of the file /staff/edit.php. Performing manipulation of the argument image results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

A vulnerability was found in Campcodes Online Learning Management System 1.0. Affected is an unknown function of the file /teacher_signup.php. Performing manipulation of the argument firstname results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. Other parameters might be affected as well.

A security vulnerability has been detected in SourceCodester Eye Clinic Management System 1.0. Affected by this issue is some unknown functionality of the file /main/search_index_Diagnosis.php. Such manipulation of the argument Search leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

A weakness has been identified in Campcodes Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ of the component Admin Dashboard Login. This manipulation of the argument Password causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

A vulnerability was found in code-projects Human Resource Integrated System 1.0. This affects an unknown part of the file /log_query.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used.

A vulnerability was found in Campcodes Online Shopping System 1.0. Affected is an unknown function of the file /product.php. Performing manipulation of the argument p results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.

A vulnerability has been found in Campcodes Online Shopping System 1.0. This impacts an unknown function of the file /login.php. Such manipulation of the argument Password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

A security vulnerability has been detected in itsourcecode Student Information System 1.0. This affects an unknown function of the file /course_edit1.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

Use after free in iOS in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Use after free in Media in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A hig

A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the unsanitized type parameter in register.php.

### Summary The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability. ### Details - Introduce a bounded, thread-safe LRU cache for remote endpoints. - Enforce fixed maximum size to prevent unbounded growth. ### Impact - A process using Zipkin

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has

### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the use

Firewall for AI

Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026. [...]

CrowdStrike Named a Leader in Frost & Sullivan 2026 Radar for Cloud-Native Application Protection Platforms

CrowdStrike Expands Real-Time Cloud Detection and Response to Google Cloud

CrowdStrike Falcon Cloud Security Delivered 264% ROI Through Unified Cloud Protection

Security & Identity

SAP on Google Cloud

Inside Google Cloud

Google Cloud Next & Events

Google Cloud Consulting

Transform with Google Cloud

GTIG AI Threat Tracker: Distillation, Experimentation, and (Continued) Integration of AI for Adversarial Use

Threat IntelligenceNorth Korea-Nexus Threat Actor Compromises Widely Used Axios NPM Package in Supply Chain AttackBy Google Threat Intelligence Group • 16-minute read

Threat IntelligenceRansomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat LandscapeBy Google Threat Intelligence Group • 53-minute read

Google Cloud Products

Cloud & Application Security

From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise

Next-Gen Identity Security

CrowdStrike FalconID Brings Phishing-Resistant MFA to Falcon Next-Gen Identity Security

Learn how Microsoft Sentinel UEBA helps defenders distinguish benign AWS activity from attacker behavior by enriching raw CloudTrail logs with clear, binary behavioral signals derived from baseline user, peer, and device behavior patterns. The post Simplifying AWS defense with Microsoft Sentinel UEBA appeared first on Microsoft Security Blog.

Threat actors are now publishing structured OPSEC playbooks to stay undetected. Flare reveals how these guides outline layered infrastructure, identity separation, and long-term evasion strategies. [...]

无人机开源飞控 PX4-Autopilot堆栈溢出漏洞 CVE-2025-15150

MongoDB内存泄漏 CVE-2025-14847(MongoBleed)

1Panel 代理证书验证绕过导致任意命令执行漏洞(CVE-2025-54424)

ModelContext Inspector 未授权访问漏洞(CVE-2025-49596)

llamaindex SQL 注入漏洞(CVE-2025-1750)

Screen 本地权限提升漏洞(CVE-2025-23395)

Craft CMS 验证后模版注入导致远程命令执行漏洞(CVE-2025-46731)

Zabbix认证后SQL注入漏洞(CVE-2024-42327)

ProjectSend认证绕过漏洞(CVE-2024-11680)

PyTorch库RPC框架反序列化RCE漏洞(CVE-2024-48063)

Grafana认证后DuckDB-SQL注入漏洞(CVE-2024-9264)

SPIP BigUp Unauthenticated RCE(CVE-2024-8517)

Rejetto HFS 远程命令执行漏洞(CVE-2024-39943)

Apache HugeGraph-Server Command Execution In Gremlin（CVE-2024-27348）

Zabbix 后台延时注入(CVE-2024-22120)

CrushFTP 认证绕过漏洞（CVE-2024-4040）

### Summary `_clone()` validates `multi_options` as the original list, then executes `shlex.split(" ".join(multi_options))`. A string like `"--branch main --config core.hooksPath=/x"` passes validation (starts with `--branch`), but after split becomes `["--branch", "main", "--config", "core.hooksPath=/x"]`. Git applies the config and executes attacker hooks during clone. ### Details The vulnera

### Impact `@excalidraw/excalidraw@0.18.0` depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path. This is patched in `@excalidraw/excalidraw@0.18.1` by updating `@excalidraw/mermaid-to-excalidraw` to `2.2.2`, w

## Summary There is a timing side-channel vulnerability in Traefik's BasicAuth middleware that allows an attacker to enumerate valid usernames through response-time differences. The variable intended to hold a constant-time fallback secret always resolves to an empty string, causing the constant-time comparison to short-circuit in microseconds rather than performing a full bcrypt evaluation. Thi

Alert for CVE-2026-21992

Alert for CVE-2025-61884

Alert for CVE-2025-61882

Alert for CVE-2024-21287

Alert for CVE-2022-21500

Alert for CVE-2021-44228

### Summary CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte. Even with a small configured quic { worker_pool_size ... }, CoreDNS still spawns a goroutine per accepted stream (workers + waiters) and active workers can block indefinitely in io.ReadFull() with no per-stream re

该论文针对企业软件工程从传统的确定性CRUD/REST架构向AI原生系统转型过程中引入的安全张力展开研究。在AI原生系统中，大语言模型作为认知编排器，但概率性LLMs削弱了验证、访问控制和形式化测试等经典机制的安全性。作者提出了一种由模型上下文协议（MCP）治理的语义网关设计，该系统将企业API重构为语义表面，工具根据意图和策略进行动态发现、授权和执行。核心贡献在于范式转换：应将自主代理视为随机状态转移系统，而非传统软件或简单API消费者，通过启用工具图对其行为进行抽象、模糊测试和审计。架构引入三层零信任安全模型，包括推理前语义防火墙、确定性工具级RBAC和带外加密人工审批循环。论文还借鉴了区块链智能合约验证中的保持启用抽象（EPA）和灰盒语义模糊测试，用于审计企业环境中的代理行为。实验结果表明，该方法减少了84.2%的偶然代码，在50万次多轮模糊测试序列中实现了100%的隐藏未授权状态转换发现率，证明动态形式化验证对于安全的代理部署是严格必要的。

这篇论文针对公共机构在资助评审中引入大语言模型（LLM）作为决策辅助工具时面临的治理难题：模型和评分标准不能暴露给申请人以防他们针对优化，但评审过程必须可审计、可质疑且可问责。作者提出了一种基于可信执行环境（TEE）的架构，通过远程证明技术协调上述矛盾。该架构允许外部验证者检查使用的模型、评分规则、提示模板和输入表示，同时不向申请人或基础设施操作者暴露模型权重、专有评分逻辑或中间推理过程。核心成果是“经证明的评审包（attested evaluation bundle）”：一个包含签名和时间戳的记录，关联原始提交哈希、规范化输入哈希、模型与评分规则度量以及评审输出。论文还考虑了场景特定的提示注入风险：申请人控制的文档可能包含隐藏指令影响LLM评估。为此，论文设计了规范化和净化层，用于标准化文档表示并在推理前记录可疑变换。作者将设计置于机密AI推理、可证明AI审计、零知识机器学习、算法问责制和AI辅助同行评议的背景下进行定位。论文的声明刻意狭窄：远程证明不能证明评审是公平或科学正确的，但可以使评审过程的部分环节变得外部可验证。

Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse

In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. [...]

Android 兼容性测试套件 (CTS) 是谷歌为了确保 Android 设备与 Android 框架 API 兼容而提供的一套自动化测试工具。该公告由 Android 安全公告发布，主要目的是通知开发者与设备制造商关于 CTS 的最新版本或更新。公告内容没有提及任何特定的安全漏洞或 CVE 条目，因此可以认为这不是一个安全修复公告，而是关于测试工具本身的维护性发布。CTS 更新通常不会直接影响用户设备的安全性，而是帮助开发者验证设备是否符合 Android 兼容性要求。公告没有提供具体的变更日志或安全相关问题，因此对于防御方而言，无需采取紧急修复措施，但建议有测试需求的团队关注最新的 CTS 版本以保持兼容性。

Android 兼容性定义文档（CDD）是 Google 发布的官方规范，用于定义 Android 设备必须满足的硬件和软件兼容性要求。该文档旨在确保不同厂商的设备能够运行 Android 应用生态系统，并维持一致的用户体验。本次公告是常规的 CDD 更新，不涉及任何安全漏洞或紧急修复。CDD 的更新通常包括对新技术、API 变更或功能要求的规范调整，开发者与设备制造商需据此调整实现。当前输入无 CVE、无严重性评级，且未提及具体技术细节或攻击场景。

该内容来自Android安全公告（Android Security Bulletin），但标题为“Tools, build, and related reference”，URL指向的是Android官方构建参考页面（setup reference），而非安全公告。摘要为空，未提供CVE编号、受影响产品、严重性评级或参考文献。因此，这并非一个漏洞公告，而是一份关于Android构建工具和配置的官方参考文档。文档内容可能涵盖构建系统、编译工具链、依赖管理等技术细节，旨在帮助开发者正确配置开发环境。由于没有具体的漏洞信息，无法进行传统的安全分析。

Android 安全公告发布了最新的兼容性定义文档（CDD）。CDD 是 Android 生态系统的基础文档，定义了设备必须满足的硬件和软件要求，以确保应用兼容性与一致性。本次更新可能涉及新的功能要求、性能基准或安全增强措施，但公告中未提供详细变更内容。设备制造商和应用开发者需参考新 CDD 调整产品设计，以保持与最新 Android 版本的兼容性。

本次输入为Android安全公告的最新索引页面，来源为官方渠道（source.android.com）。公告发布日期为2026年4月29日，但未附带任何具体的CVE编号、漏洞描述、受影响产品或严重性等级。该页面通常用于汇总当月Android安全补丁的发布说明，但当前输入缺乏实际漏洞细节。由于没有具体内容，无法确定任何安全风险或影响范围。建议定期关注官方公告页面以获取补丁详情。

Apple 发布了安全更新公告，建议用户更新 Mac 上的软件。该公告来自 Apple 官方安全发布页面（https://support.apple.com/en-us/108382），但未提供具体的 CVE 编号、漏洞详情、影响组件或严重性等级。公告可能涉及针对多个产品的安全修复，包括 macOS 及预装软件，以防范潜在的安全威胁。由于缺乏具体信息，无法确定漏洞的成因、攻击向量或实际影响。建议用户按照 Apple 的常规安全更新流程，尽快安装最新版本的 macOS 和相关软件，以确保系统安全。

苹果公司于2026年4月29日发布安全公告，敦促用户更新iPhone或iPad上的软件。该公告未披露具体漏洞细节或CVE编号，但通常此类更新包含针对已知安全问题的修复。建议用户尽快安装最新系统版本，以降低潜在安全风险。

该输入仅提供了Apple官方安全发布页面的链接（https://support.apple.com/en-us/102549），标题为“submit your research”，发布日期为2026年4月29日。正文摘要为空，未提及任何具体漏洞、CVE编号、受影响产品或严重程度。因此，无法生成具体的漏洞分析。建议直接访问Apple安全发布页面以获取最新公告。

Apple 安全发布页面提供了关于如何报告安全漏洞、获取安全更新以及联系 Apple 安全团队的指南。该页面并非具体的安全公告，而是为安全研究人员和用户提供一般性帮助。截至发布日期 2026-04-29，页面未提及任何特定漏洞或 CVE。

Apple发布了名为'Background Security Improvements'的安全更新，旨在提升系统的后台安全性。该更新可能包含多个未公开的安全修复，但具体漏洞细节、影响范围及利用方式尚未披露。由于更新涉及系统底层安全改进，建议用户尽快安装以增强设备防护能力。

腾讯云于2026年4月29日发布公告，宣布天御验证码微信小程序插件V1.0版本将于2026年5月31日停止支持。该插件用于在小程序中集成验证码功能。停止支持后，腾讯云将不再提供该版本的安全更新、技术支持和问题修复。虽然此次停服不涉及具体漏洞，但继续使用已停止支持的版本可能会面临未知安全风险，如无法及时修复未来发现的安全问题。建议用户尽快升级到新版插件（如V2.0）或迁移至其他验证码方案，以确保服务安全性和合规性。

腾讯云于2026年4月29日发布五一假期服务公告，旨在提前告知用户假期期间（2026年5月1日至5月5日）可能影响服务的运维安排，例如系统维护、升级或部分服务暂停。公告未提及任何安全漏洞、CVE编号或攻击事件，其内容主要围绕服务可用性和运维计划，而非安全更新或补丁。用户无需担心安全风险，但应关注腾讯云官方渠道以获取具体维护时间窗口，避免业务中断。

腾讯云于2026年4月29日发布公告，宣布对发信域名升级频率策略进行调整。该调整旨在优化邮件发送服务的稳定性和效率，具体涉及发信域名的升级频率限制。根据公告，用户需要关注新的策略细节，并可能需要对发信配置进行相应调整，以确保邮件投递的正常进行。本次调整不涉及安全漏洞，仅为服务策略更新。

腾讯云于2026年4月29日发布了【口语评测（基础版）】产品的退市公告。该公告宣布，腾讯云口语评测（基础版）服务将在未来某个时间点正式停止运营。此产品用于对语音进行自动化评测打分，主要面向教育、考试等场景。退市意味着该服务将不再可用，已接入该服务的用户需要迁移至替代产品（如口语评测（高级版））或其他第三方方案。公告可能详细说明了退市时间表、数据迁移指引以及后续支持政策。由于是服务终止而非安全更新，不存在安全漏洞修复事宜。

腾讯云安全公告发布通知，针对新网注册商下已备案域名的合规规则进行调整。本次调整主要涉及已备案域名的管理要求，具体包括域名持有者信息真实性核验、备案信息变更流程优化以及违规域名处置机制升级。调整旨在落实《网络安全法》及工信部相关管理规定，提升域名备案准确性和安全性。用户需关注自身已备案域名的状态，及时完成信息更新，确保符合最新合规要求。公告未提及具体安全漏洞，属于服务规则变更。

输入内容为公安机关网站备案号信息，并非安全公告。未发现任何漏洞或安全事件描述。

Pocsuite 是由知道创宇安全研究团队开发并维护的一款开源远程漏洞测试框架。该框架旨在辅助安全研究人员进行 Web 安全漏洞的发现与验证，是团队长期积累的技术成果。本次输入内容并非安全公告，而是框架的通用介绍，未提及任何具体漏洞、CVE 编号或安全风险。因此，无法提供漏洞细节或影响评估。

知道创宇旗下 Seebug 是一个权威的漏洞参考、分享与学习的安全漏洞社区平台，在国内和国际享有知名度。目前收录漏洞数量 52206，PoC 数量 44236。该输入仅为平台介绍，未涉及任何具体漏洞或安全公告，因此无法提供漏洞详情。

知道创宇推出的网站安全防护服务，基于十年Web安全防护经验，构建多层安全防护体系。该服务结合云端大数据分析能力和安全CDN加速，能够高效识别和拦截黑客发起的DDoS攻击、DNS攻击、CC攻击等常见网络威胁。通过实时监控和智能调度，保障网站的正常访问和数据安全。该服务旨在为网站提供全方位的安全防护，降低被攻击的风险。本文档为该服务的产品介绍，未涉及具体漏洞信息。

输入内容为公安备案编号信息，并非安全公告或漏洞通报。来源为360CERT，但未提供任何漏洞描述、CVE编号或严重性评估。因此无法生成漏洞摘要。

输入内容为360CERT的ICP经营许可证公示页面，标题为“（总）网出证（京）字第281号”，链接指向360.cn的licence2.html。该页面仅用于展示网络信息服务资质，不包含任何安全漏洞、威胁情报或技术公告信息。因此无法进行漏洞总结或风险评估。

提供的输入并非网络安全漏洞或安全公告，而是360CERT网站的版权许可信息（京网文〔2020〕6051-1195号）。标题与来源URL指向《360许可协议》页面，未包含任何技术细节、漏洞描述或安全风险信息。因此，无法提取有效的安全摘要。

输入内容为360CERT的网站备案信息（京ICP证080047号[京ICP备08010314号-6]），并非安全漏洞公告或技术分析报告。该信息来自工信部备案系统，不涉及任何安全漏洞或风险。

微软MSRC于2026年4月28日发布了关于Microsoft Entra ID Entitlement Management中服务器端请求伪造（SSRF）漏洞的安全公告。该漏洞允许未经授权的攻击者通过网络进行欺骗攻击（spoofing）。Microsoft Entra ID是微软的云身份和访问管理服务，其Entitlement Management组件用于管理用户对资源的访问权限，通常涉及通过API或后台服务与内部系统进行交互。SSRF漏洞的核心问题在于，当应用程序处理用户提供的URL或请求时，未能充分验证目标地址，攻击者可以诱使服务器向内部网络或外部系统发送恶意构造的请求。这可能导致攻击者绕过身份验证或访问控制，读取内部资源、执行端口扫描，或利用服务器身份进行进一步攻击。由于未提供CVE编号和严重性评级，漏洞的影响范围尚不完全明确。攻击者需要具备网络访问条件，但无需预先认证。微软尚未发布该漏洞的详细修复信息或缓解措施，建议用户持续关注微软安全更新公告，并确保Entra ID环境中的组件保持最新。

微软官方披露 Microsoft Power Apps 存在一个不受控制的搜索路径元素漏洞（Uncontrolled Search Path Element）。该漏洞允许未经授权的攻击者通过网络在受影响系统上执行代码。漏洞成因是 Power Apps 在加载外部库或资源时，未对搜索路径进行充分限制，攻击者可通过将恶意文件放置在特定路径或通过网络诱导应用加载来触发代码执行。由于 Power Apps 广泛应用于低代码开发和企业应用集成，该漏洞可能被利用于远程攻击，但微软尚未发布严重性评级和具体受影响的版本信息。建议用户关注微软安全响应中心（MSRC）的后续更新。

Azure IoT Central 是微软提供的物联网平台即服务，用于连接、监控和管理 IoT 设备。该平台存在一个信息泄露漏洞，其成因是系统未正确限制对敏感信息的访问，导致授权攻击者能够通过网络向未授权角色暴露敏感信息。攻击者可以利用此漏洞提升自身在网络中的权限，从而可能获取更高权限的操作能力。该漏洞不需要攻击者具备特殊权限，但需要网络访问能力。微软已发布相关安全公告，但未提供具体修复补丁或详细技术细节，建议用户密切关注微软官方更新。

Paper专业的技术文章，安全经验的积累。Paper 栏目专注于安全技术文章的收录。我们推崇黑客精神，技术分享和热衷解决问题及超越极限，Seebug Paper 期待您的分享。

Cookie settings

Mozilla Monitor

The Mozilla Manifesto

Mozilla Foundation

Accessibility Policy

Create an Account

Instructions for subscribing to email notifications

Product Security Home

Security Bulletins

Priority and Severity Ratings

Newsletter Subscription

Adobe Security Notifications

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.4.5, < 2026.4.20` - Patched version: `2026.4.20` ## Impact A malicious workspace `.env` could set `MINIMAX_API_HOST` and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound `Authorization` header. This requires running OpenClaw from an atta

多款Huawei产品DHCP拒绝服务漏洞

Linux kernel "drivers/usb/serial/whiteheat.c" 拒绝服务漏洞

Huawei Enterprise Information Engine SQL注入漏洞

Siemens COMOS 本地提权漏洞

Siemens RuggedCom ROS和ROX设备信息泄露

WL-330NUL远程命令执行漏洞

Tibbo Technology AggreGate远程代码执行漏洞

Symantec Endpoint Protection Manager-RU6-MP3任意操作系统命令执行漏洞

Joomla “Ja-Ka-Filter-And-Search” 组件 SQL 注入漏洞

京公网安备 11010502034610号

【腾讯云代码助手】关于 CodeBuddy、WorkBuddy 计费方案调整的公告

【云安全中心】关于《云安全中心服务条款》及《云安全中心服务等级协议》更新的通知

【安全通告】Xinference 供应链投毒风险通告

【大模型服务平台 TokenHub】服务条款与服务等级协议更新通知

【TDSQL-C MySQL 版】关于首尔二区机房电力异常情况通知

Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.

Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network.

Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.

Url redirection to untrusted site ('open redirect') in M365 Copilot allows an unauthorized attacker to elevate privileges over a network.

Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network.