Agregátor RSS

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Organizace Apache Software Foundation (ASF) vydala verzi 30 integrovaného vývojového prostředí a vývojové platformy napsané v Javě NetBeans (Wikipedie). Přehled novinek na GitHubu. Instalovat lze také ze Snapcraftu a Flathubu.

Byla vydána nová verze 7.0 svobodného open source redakčního systému WordPress. Kódové jméno Armstrong bylo vybráno na počest amerického jazzového trumpetisty a zpěváka Louise Armstronga (What A Wonderful World).

V Drupalu byla nalezena a opravena kritická zranitelnost SA-CORE-2026-004 (CVE-2026-9082). Útočník může provádět libovolné SQL dotazy na webech používajících databázi PostgreSQL.

Microsoft says it is considering a patch for a zero-day vulnerability, dubbed YellowKey, that allows attackers with access to a Windows device to bypass Bitlocker encryption protection and read and write files. The flaw was disclosed last week, and there is already a public proof of concept available.

The company issued an advisory Tuesday saying that companies should act to mitigate the issue, tracked as CVE-2026-45585, while it examines the possibility of a patch. In its advisory, it provided the immediate steps that companies should take. A key defense against possible attack is to limit access to vulnerable devices, as physical access is required for exploit.

“Organizations should start by auditing their environment for the conditions that exist that leave them vulnerable to YellowKey,” said Eric Grenier, senior director analyst at Gartner. “They should also have a clear understanding of their risk acceptance in the case of a lost/stolen device and, based on that acceptance (or non-acceptance), follow the steps such as customizing Secure Boot and ensuring firmware and Boot integrity.” .

 Karl Fosaaen, VP of research at cybersecurity company NetSPI, agreed. “Since this vulnerability requires physical access to exploit, organizations should be focusing on the physical security controls around their Windows devices,” he said. “Having strong policies and controls around physical access to devices is a good first step in helping protect the potentially vulnerable devices. If there are additional concerns about attackers being able to gain access to files on the system, organizations can look at limiting the data that they allow users to store locally.”

One of the issues facing companies is the proliferation of employees using mobile devices, which makes it harder for organizations to restrict access to them. “You’re increasingly seeing companies with corporate data on their laptops, and YellowKey can leave that data unlocked,” said Nathan Davies-Webb, principal consultant at UK-based security company Acumen. This is where tight device security policies come into play, such as prohibiting users from leaving devices unattended.

However, said Fosaaen, what makes detection of an attack particularly difficult for the individual user is that it is not immediately apparent that a device has been targeted. “If an attacker used the exploit to read files from the encrypted volume, there likely wouldn’t be any indicators to a user. If the attacker implanted malicious software, you might see increased system utilization, or other performance issues,” he noted.

To make things worse, it is also possible that Microsoft’s mitigation guidance may not be effective. In a post on a security site, researcher Will Dormann pointed out that there could be a way to override the company’s proposed solution. That being the case, IT managers will certainly be watching for a patch from Microsoft.

While Microsoft has announced that it is looking into such a patch, Davies-Webb doesn’t think a solution will be straightforward. “I would heavily speculate that this is something that is there by design,” he said. “Microsoft would be thinking ‘If I stop this happening, what would I be taking away?’ I strongly suspect that there is some functionality in Windows, maybe something in manufacturing, that could be affected by any patch.”

“Besides,” he added, “It could take some time for a patch to be released. The RedSun vulnerability [in Windows Defender] was identified last month and still hasn’t been patched.”

Cockpit 359 - RCE

BookStack 25.12.1 - Denial of Service

Lenovo LegionSpace 1.7.11.2 - 'DAService' Unquoted Service Path

solaredge - (CSRF-OOB-Injection)

FUXA 1.2.9 - RCE

Microsoft announced this week that it disrupted a malware-signing operation that helped cybercriminals distribute ransomware disguised as legitimate software. According to the company, a threat actor called Fox Tempest abused Microsoft Artifact Signing to generate short-lived code-signing certificates for malicious payloads.

Ne každá rozdílná cena je diskriminace, ale rozdílné životní situace mužů a žen mohou vytvářet reálné rozdílné náklady. Třeba u kadeřnictví, oblečení, cestování nebo hygienických potřeb bývá realita složitější. Někdy jde o stereotyp, jindy o rozdílné náklady, nabídku, chování zákazníků nebo společenská očekávání.

Zaměstnanec ztratil způsobilost konat dosavadní práci a zaměstnavatel pro něj nemá náhradní. Nárok na odškodnění za neplatný vyhazov v podobě náhrady mzdy za dobu sporu stejně nezíská a zaměstnavatel nemusí tvořit nové místo.

Před pár týdny se v médiích objevila zpráva o jednom rozsáhlém kybernetickém útoku. Ruská skupina APT28 zaútočila na SOHO routery a jejich prostřednictvím se jí nakonec podařilo kompromitovat některé přihlašovací údaje.

Poslední velmi užitečnou vlastností čipu ANTIC je podpora pro takzvaný jemný scrolling. ANTIC umožňuje horizontální i vertikální posun celé scény s přesností na jednotlivé pixely resp. obrazové řádky.

Objevily se snímky PCB pro Intel Xe3P v konfiguraci Crescent Island. Jde zjevně o řešení, které počítá pouze s profesionálním nasazením - obrovské pouzdro a 20 LPDDR5X od 160GB jinou možnost vylučují…

Elektrony v elektronice už melou z posledního. Kvazičástice exciton-polaritony spojují výhodné vlastnosti záření a hmoty, což je předurčuje pro fotonické čipy. S nimi by bylo možné snížit ohromnou spotřebu rozsáhlých AI systémů a pokročit ke kvantovým počítačům, které by byly integrované na čipech.

The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. [...]

Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [...]