Cyber Security Daily Radar

符号执行是一种强大的程序分析技术，广泛应用于漏洞检测、安全测试和恶意软件分析等领域。然而，该技术面临可扩展性挑战，例如路径爆炸和复杂约束问题，这源于真实世界程序中常见的特定结构和语义模式。现有方法试图通过将程序转换为新表示来规避这些模式以降低执行成本，但转换往往过于僵化，无法充分利用多样化的局部程序语义，有时甚至依赖于为具体执行设计的编译器优化，可能与符号执行的目标不一致。本文提出 Symbolon 框架，该框架自动学习多样化的代码转换，并以上下文敏感的方式应用它们来改进符号执行。其核心洞察是将转换发现形式化为程序表示上的搜索问题。为使搜索可行，Symbolon 在离线状态下对小规模程序进行低成本学习，将转换提炼为可复用的智能体技能库，并使用智能体在仓库级目标上实例化这些技能。实验评估表明，在 32 个真实世界程序上使用 16 种搜索策略，Symbolon 显著改进了符号执行引擎 KLEE，平均行覆盖率提升 3.69 倍，同时峰值内存和单次查询求解器时间分别降低 29.2 倍和 123 倍。当应用于最新 Linux 内核时，Symbolon 发现了 21 个先前未知的漏洞，所有漏洞均已报告给内核维护者。该方法为符号执行的可扩展性问题提供了一种自动化、数据驱动的解决方案。

随着大语言模型（LLM）在实际应用中的广泛部署，模型量化技术因其能够显著降低模型大小和推理延迟而被广泛采用。然而，量化过程引入了一种新型安全威胁：量化条件后门（QCB）攻击。在这种攻击中，攻击者可以精心构造后门触发器，使得后门行为在完整精度模型中保持休眠状态，仅在模型经过特定量化失真后被激活，从而绕过传统的安全审计。针对这一威胁，本文提出了 FlipGuard，一种主动防御框架。该框架通过在量化前对模型权重进行选择性扰动，破坏攻击者在权重模式与量化边界之间的精确对齐，从而抑制后门激活。FlipGuard 不需要访问训练数据或触发器样本，因此具有较高的实用性。为了全面评估防御效果，作者提出了防御有效性比（DER）这一统一度量指标，综合衡量安全提升、模型效用保持和计算开销。在包括 StarCoder 和 LLaMA 系列在内的七个 LLM 上，针对 INT8、FP4、NF4 三种量化方案，在三种攻击场景（易受攻击代码生成、内容注入、过度拒绝）下的实验表明，FlipGuard 能够有效中和 QCB 攻击，在保持较高安全性的同时，几乎不造成性能下降。该工作为 LLM 量化部署提供了重要的安全防御思路。

本文研究大语言模型在越狱攻击下的内部机制。作者发现攻击并未完全消除模型的安全特征，而是选择性抑制特定注意力头。通过分析，识别出两类功能分化的注意力头：早期层中的“对抗妥协头”（ACH），在攻击下被抑制；以及中间层的“安全对齐头”（SAH），即使在攻击成功时仍保持鲁棒激活。消融实验证实ACH的因果作用以及SAH对鲁棒激活的贡献：抑制少量ACH足以在正常拒绝的输入上诱导类似越狱的行为，而移除SAH会显著削弱中间层的安全激活。令牌级归因进一步显示，ACH抑制由攻击模板令牌驱动，解释了攻击如何通过抑制ACH绕过拒绝决策，同时SAH维持内部安全信号——作者称之为“鲁棒有害特征”。为验证鲁棒性的实际意义，作者展示仅需读取这些持续激活（无需训练）即可获得与强对抗鲁棒性方法相当的聚合检测性能。该方法为理解越狱攻击的机制提供了新视角，并为鲁棒安全检测提供了潜在方案。适合大模型安全研究人员、红蓝队工程师阅读。

本文提出了一种名为 Tree of Evidence (ToE) 的分层可解释声明验证框架，用于自动事实核查，以应对虚假新闻尤其是生成式引擎优化（GEO）投毒下AI生成错误信息的威胁。ToE 将每个声明建模为一个动态扩展的论证树，通过集成强化学习驱动的多源检索智能体、证据评估智能体和论证树聚合算法，迭代地分解、检索和验证声明，形成可解释的证据链。理论分析推导了检索过程的误差界，证明学习策略收敛到信息论最优策略的邻域。在多个数据集和骨干大语言模型上的实验表明，ToE 相比强基线提升了4到24个百分点，在对抗性投毒输入上提升尤为显著。该框架为事实核查提供了可解释性，并有效对抗检索系统被恶意内容污染的问题。适合LLM安全、虚假信息检测及信息检索领域的研究者和从业者阅读。

该论文针对智能视频监控中“可疑行为自动标记”这一核心功能，审视了当前被广泛引用的视频异常检测基准（如UCSD Ped1/Ped2、CUHK Avenue、ShanghaiTech）上报告的高帧级ROC-AUC数值。作者指出，这些高指标通常是在同一摄像机和场景下训练和测试得到的，而实际部署时场景不可控、分布外样本普遍存在。为量化这种场景迁移导致的分值崩塌，作者构建了一个无监督正常性模型：仅使用一个数据集的全部正常训练帧，采用冻结的现成嵌入（CLIP、DINOv2、ResNet-50、EfficientNet-B0）结合近邻距离，然后对同一数据集和其他数据集的测试帧进行评分。实验涵盖4个真实数据集和4种骨干网络，发现：同一数据集平均AUC为0.704，而跨数据集平均AUC仅为0.499（相当于随机猜测）；多个跨数据集对甚至低于随机水平。更强的骨干网络反而加剧下降：DINOv2在相同数据集上AUC可达0.901，但跨数据集下降幅度最大。该分值的崩塌并非评分规则伪影：将近邻检测器替换为PaDiM风格的马氏距离检测器几乎重现相同结果（跨数据集差距0.202 vs 0.208）。即使在有利的工作点，假警报率也高达每小时31,931次。作者得出结论：当前的基准测试数值描述的是校准过的实验室环境，严重高估了实际部署可靠性。论文发布了可复现所有数字的代码。适合安全工程师、AI监控系统构建者、计算机视觉研究者阅读。

本文研究量子算法与密码学中的一个核心挑战：如何高效模拟对随机群元素（如随机函数、置换或酉算子）的预言机访问。经典解决方案是懒惰采样（lazy sampling），即预言机不预先提交整个群元素，而是按需即时采样其部分信息。本文提出量子版本的懒惰采样——压缩预言机（或记录预言机），这是一种允许对量子查询进行即时模拟的量子数据结构。Zhandry (CRYPTO '19) 首次为随机函数引入此概念，随后Ma-Huang (STOC '25) 推广到酉算子，Carolan (STOC '26) 推广到置换，并在安全性证明和下界研究中因可解释性而广泛使用。本文从基本原理出发，定义并分析了一种通用且可解释的路径记录预言机（path-recording oracle），能完美模拟 $U(N)$ 任意闭子群的随机元素。该预言机以叠加态存储 t 个输入-输出对，更新过程通过群张量幂表示的交换子（commutant）来描述，从而透明地记录算法已学习到的信息。这一工作建立在Grinko-Yoshida (QIP '26) 近期工作的基础上，后者给出了另一种通用但缺乏清晰可解释性的压缩预言机。路径记录预言机的一个重要应用是允许直接比较不同群的压缩预言机，为证明伪随机性结果提供了新技术。例如，通过比较 $S_N$ 和 $U(N)$，可以构建出迄今为止最简单的伪随机酉算子构造：伪随机置换与随机Clifford的乘积 PC，改进了先前的 PFC 构造（Metger-Poremba-Sinha-Yuen, FOCS '24; Ma-Huang, STOC '25）。本文主要贡献包括：提出通用可解释的路径记录压缩预言机框架，分析其记录信息的能力，并展示其在伪随机性构造中的应用。适合量子算法、量子密码学及复杂性理论研究者阅读。

本文研究了大型语言模型在微调过程中面临的一种新型隐蔽攻击——嵌入式攻击（Embedded Attack）。现有防御方法主要针对显式有害内容（如直接混合有毒数据）进行过滤和检测，但攻击者可以将有害的问答对（QA pairs）嵌入到看似良性的训练样本中，例如将有害问题作为上下文的一部分隐藏在正常任务中。实验表明，现有的代表性防护措施（如基于规则的过滤器、基于分类的检测器）在逐样本检测时往往无法识别这种嵌入的有害监督。为了解决这一问题，作者提出了双参考监督微调（DR-SFT）方法。DR-SFT将DPO（直接偏好优化）中的对比学习目标设计适配到监督微调（SFT）框架中，通过引入两个参考模型（一个基于原始模型，一个基于微调后的模型）进行token级别的正则化。具体来说，DR-SFT在训练时对每个token的损失进行加权，使得模型更倾向于学习良性模式而抑制有害模式，从而减轻有害微调的效果。该方法不需要对训练数据进行粗粒度的过滤，而是从模型训练层面提供鲁棒性。在多个基准数据集上的实验验证了DR-SFT的有效性，相比现有防御方法显著降低了对有害监督的敏感性。本文适合关注LLM安全对齐、后门防御、数据投毒防御的研究人员和工程师阅读。

本研究针对联网车辆（CV）面临的Sybil攻击威胁，提出了一种基于车载数字孪生（DT）的碰撞预警框架，该框架内嵌了Sybil攻击检测能力。Sybil攻击中，攻击者通过伪造多个虚假车辆身份来欺骗通信系统，可能引发安全事故。框架核心包含两部分：一是时序卷积网络（TCN），用于学习车辆轨迹数据中的时间依赖性；二是分层可导航小世界（HNSW）算法，用于基于相似性的高效分类，从而识别虚假车辆。通过实地实验收集真实Sybil攻击数据，框架在检测虚假车辆时达到0.984的准确率、1.00的召回率和0.944的F1分数。安全评估方面，该框架将接近碰撞事件的暴露时间均值（TET）和积分时间均值（TIT）分别降低了88%和72%。此外，真实环境可行性测试表明，框架满足安全应用标准允许的最大延迟，且运行负载在现代处理器容量范围内，证明了车载DT框架作为下一代CV的Sybil攻击缓解机制的潜力。

本文提出了一种可验证且抗共谋的多方量子私有集合操作协议，重点解决阈值私有集合交集（TPSI）问题。传统的量子TPSI协议通常依赖第三方（TP）解释最终结果，偏离了TPSI的基数测试范式。作者提出了一种基于旋转量子构造的新协议，通过单光子序列的逐步处理，包括参与方数据旋转、TP-参与方掩码旋转和相关聚合旋转，生成隐藏标签测量向量。TP能够完成最终测量但无法解读结果的语义含义。基于这些隐藏测量，进一步通过不经意线性评估（OLE）的内积过程和轻量级混淆电路实现阈值决策，仅在条件满足时揭示交集大小是否达到阈值，然后有条件地重建交集。论文证明了协议的正确性和安全性，并在IBM Qiskit平台上通过量子电路仿真验证了可行性。该工作为量子安全多方计算提供了新的思路，尤其适用于需要隐私保护且抗共谋的场景。

该论文研究无线多址接入信道（MAC）下语义通信（SemCom）系统的新型安全威胁与防御机制。语义通信旨在超出传统比特级恢复，保留语义含义和任务导向信息，其共享接入特性引入了多用户语义推理的脆弱性。论文设定场景：两个发射器通过MAC与一个公共接收器通信，每个发射器将源信息映射为潜在语义表示，接收器联合重建并分类两个发射器的语义信息。攻击者可在训练阶段通过空中接口发射低功率触发波形，将其注入共享接收信号，从而植入后门（木马）。在测试阶段，再次发射相同触发波形即可选择性操纵某个发射器的语义推理结果，而对另一发射器影响极小，实现隐蔽的定向攻击。为应对此威胁，论文提出一种触发感知防御机制，通过鲁棒训练方法使接收器在受触发污染的无线观测下仍能保持正确的语义标签。实验结果表明，共享接入语义通信系统易受选择性空中后门攻击，而触发感知鲁棒训练能有效保护语义推断的完整性。该研究揭示了语义通信在无线共享环境下的新攻击面，为安全语义通信的设计提供了防御思路。

本文针对现代汽车控制器局域网（CAN）总线入侵检测系统（IDS）评估中缺乏标准化基准的问题，提出了一套跨数据集评估框架。研究背景是，随着车辆互联性增强，CAN总线安全成为关键挑战，IDS被广泛研究作为防御手段，但现有评估因实验设置不一致和缺乏统一基准，导致报告的性能高度依赖特定数据集的特征。作者整合了七个公开可用的CAN IDS数据集（不同实验条件下收集），并采用五种概念上不同的IDS方法进行跨数据集评估。核心贡献是设计了一个统一的基准测试框架，实现了对IDS方法在不同数据集上的一致性评估。实验结果表明，同一IDS方法在不同数据集上的检测性能存在显著差异，凸显了跨数据集基准测试对于评估IDS鲁棒性和泛化能力的重要性。该研究适合汽车安全研究人员、IDS开发者以及从事嵌入式系统安全的人员阅读。

该论文提出了一种针对自动驾驶车辆交通标志分类系统的物理对抗攻击方法，利用近红外光谱的持久视觉（POV）显示技术。与传统的物理攻击（如贴片或投影）不同，该方法通过动态、远程触发的内容在近红外波段进行攻击，对人类视觉不可见，从而实现了隐蔽性。研究者首先通过数字仿真确定攻击的最佳位置，然后在真实世界场景中对两种交通标志、12种不同家族的机器学习模型、多种距离（最远20米）以及不同光照条件进行了广泛评估。实验结果表明，该攻击在测试场景中具有很高的成功率。为了防御此类攻击，论文提出了两种方法：一是使用近红外截止滤光片来阻挡攻击信号；二是基于软件的检测机制，通过分析图像中的异常模式来识别攻击。此外，研究者还制作了一个人类可见的RGB版本的原型，以解决近红外POV显示的限制。该工作揭示了近红外光谱在物理对抗攻击中的潜力，并为自动驾驶系统的安全性提供了新的见解。

本文针对黑盒成员推理攻击（MIAs）中候选样本间成员信号非均匀分布的问题，提出了一种预查询样本选择框架 PSS-MIA。现有黑盒 MIA 方法通常对所有候选样本不加区分地进行查询，导致大量查询消耗在成员信号微弱的样本上，增加了查询成本与暴露风险。PSS-MIA 包含两个阶段：首先利用参考模型计算损失间隙（Loss Gap），通过估计每个样本的成员信号强度对候选样本进行排序，并选择信号最强的子集；然后仅针对选定子集进行查询，并将返回结果输入任意现有黑盒 MIA 方法进行推断。在排序阶段，作者提出了损失间隙排序（LGR）方法，利用参考模型在候选样本上的训练/非训练损失差值来量化成员信号。在 CIFAR-10、CIFAR-100 和 CINIC-10 三个数据集上，结合五种代表性黑盒 MIA 方法的实验表明，PSS-MIA 在查询预算缩减方面效果显著：在 0.1% 假阳性率约束下，分别节省至少 83.1%、60.6% 和 80.4% 的查询预算，同时保持甚至提升了推理准确率。该工作首次系统性地回答了“哪些候选样本值得查询”这一关键问题，为降低黑盒 MIA 的查询成本和暴露风险提供了高效解决方案。

该论文针对基于激光雷达（LiDAR）点云的3D目标检测器在复杂驾驶场景下的结构脆弱性进行了研究。现有工作多关注孤立3D模型的对抗鲁棒性，或聚焦于物理可实现性但未深入分析检测器行为。本文提出了一种可解释性引导的对抗分析方法：首先，提出了Saliency-LiDAR（SALL）方法，通过聚合跨场景的积分梯度（Integrated Gradient）归因，生成针对LiDAR 3D检测器的通用显著性图。然后，基于该图设计了可解释性感知平截头体攻击（EFA），选择性地扰动最具有影响力的平截头体区域，而非均匀攻击整个目标区域。在KITTI和nuScenes数据集上，针对PointPillars和SECOND等检测器的实验表明，EFA在仅扰动25%-50%的平截头体数量下，即可降低检测召回率超过15个百分点，效果优于非显著性基线方法。研究表明，现代3D检测器将判别证据集中在少量空间区域，暴露了当前LiDAR感知系统的结构性稳健性缺陷。代码已开源。适合关注自动驾驶安全、对抗性机器学习的研究人员和工程师阅读。

该论文重新审视了黑盒场景下针对语义水印的伪造攻击问题。语义水印通过将信息嵌入到潜在扩散模型（LDM）的初始噪声中实现版权保护，但现有研究表明这类水印易受黑盒伪造攻击。然而，已有方法主要依赖经验证据，缺乏对攻击成功或失败条件的严格理论理解。作者从潜在空间的率失真（rate-distortion）角度出发，分析了伪造攻击的本质。他们发现，由于代理模型和目标模型之间的结构不匹配，存在一个不可约的失真下限，从根本上限制了伪造水印的保真度。进一步，他们将该失真刻画为潜在流形上的结构化几何偏差，表现为全局漂移和局部变形，而非随机噪声。基于这些洞察，作者提出了一种与具体水印方案无关的检测方法，能够在水印验证之前区分伪造样本。大量实验证明了该方法在多种黑盒场景下的有效性，同时保持了对常见失真的鲁棒性。论文的主要贡献是提供了理论基础，解释了为何某些攻击会失败，并提出了一种实用的防御检测方法。适合从事AI安全、版权保护、生成模型安全的研究人员和从业者阅读。

本文提出校准深度伪造信任分数（CDTS），将深度伪造检测重新定义为一种校准的、自我审计的信任工具。研究发现检测器的判别能力与其信任分数的校准之间存在强耦合：当检测器的判别能力下降时，信任分数的校准也会恶化。该结论在32种配置（合并Pearson r = -0.81）、单个数据集内、通过直接诱导低能力以及第四个未见数据集上得到验证。研究涉及三种架构不同的检测器（两种卷积网络和一种CLIP视觉变换器），相关性分别为-0.88、-0.83和-0.86。此外，研究发现能力可无标签估计，从而无需标签即可监控校准风险；基于能力评估的源批次路由可降低整体AURC并改善低到中覆盖操作区域。同一能力因素还驱动了跨人口统计子组的校准不公平性（不同于准确性不公平性）和解释忠实度。论文主张检测器的可信度由能力作为共享驱动因素组织，信任评分必须考虑能力因素，并提供CDTS包装器作为机制。

自监督学习（SSL）预训练模型已成为视觉表示学习的主流范式，但它们容易受到后门攻击。现有的防御方法在完全黑盒设置下难以有效防御，因为它们通常需要访问标签、攻击模式或训练数据。为了应对这一问题，本文提出了一种新的攻击无关、模型无关、模态无关的黑盒测试时防御范式，称为“柏拉图表示防御”（Platonic Representation Defense）。该方法的灵感来源于柏拉图表示假说，该假说认为大规模独立训练的编码器会收敛到对同一底层现实兼容的投影。作者将这一思想形式化为一个条件能量函数，该函数定义在源表示和一组参考表示之上。能量函数通过噪声对比估计进行检测训练，通过去噪分数匹配进行表示净化训练。理论上，匹配样本与不匹配样本之间的能量差距由源表示与参考表示之间的互信息下界决定。作者在多个自监督编码器和超过10种攻击上验证了该方法的有效性。该方法可以同时执行表示检测和净化，并在多种攻击下取得了显著的性能提升。代码已开源。

该论文研究量子伪随机态（Pseudorandom States, PRS）的安全性放大问题。PRS是一种量子密码学原语，其安全级别由敌手可区分的副本数量表征：单副本安全（1-PRS）表示即使获得单个副本，敌手也无法将其与最大混合态区分；而t-副本安全（t-PRS）则允许敌手获得t个副本。此前，Ananth和Goldin（arXiv 2025）仅能对一类受限的1-PRS构造（即生成器仅使用少量辅助量子比特的构造）实现向t-PRS的放大。本文通过引入两个技术贡献，解决了通用放大问题：第一，他们重新梳理了构造中的随机性来源，并利用量子提取器（quantum extractors）消除了辅助寄存器（ancilla register）对长度的依赖；第二，他们证明了对任意多项式t，任何耐单副本区分攻击的1-PRS均可转化为t-PRS，且无需额外假设。该结果基于对量子状态区分优势的紧致分析，展示了如何通过随机性再分配和提取技术，在不增加辅助资源的情况下提升安全级别。实验部分（如有）未在摘要中体现，但理论证明已涵盖所有必要步骤。该工作对于量子密码学协议（如量子货币、量子认证、量子随机数生成等）中PRS的实际部署具有重要意义，因为它允许安全参数灵活扩展。

该论文聚焦于基于模型上下文协议（MCP）的智能体运行时的安全问题。MCP为语言模型应用提供了工具、资源、提示和传输的连接层，但随着智能体从连接走向执行，安全决策往往分散在客户端、服务器、提示、审批对话框、OAuth部署和日志中。论文核心问题是：运行时能否在保持MCP工作流的同时，使执行层的不变量显式化且可测试？研究者定义了八个安全不变量：元数据非权威性、授权批准、规范资源、主体绑定、作用域能力调用、源和目标数据流授权、拒绝路径审计、显式协议状态。并在HCP（Handle-Capability Protocol）参考运行时中实现这些不变量。HCP通过主体、资源、授权、能力、句柄、策略决策、数据管道检查和审计条目来表示MCP风格智能体执行的调用。论文将HCP与两个基线（朴素连接层运行时、实际连接层缓解基线）在10个基准案例上评估。结果显示朴素基线允许所有模拟攻击，缓解基线允许6/10，而HCP阻止全部10个攻击并保留审计证据。消融实验识别了哪些运行时组件阻止攻击并保留取证证据。微基准测试表明策略、调用、窥视和管道操作的平均延迟低于毫秒级。一个有限的GitHub README筛查样本提供了生态信号而非漏洞发现。结论是MCP风格智能体系统除了连接层规范外，还需要执行控制层。

该论文研究开发者在拉取请求（pull request）讨论中如何沟通漏洞信息，涵盖人类、机器人和编码代理（如GitHub Copilot等AI助手）。传统研究主要关注显式漏洞标识符（如CVE、GHSA），但隐式安全相关语言（如“未授权访问”、“SQL注入”）同样常见，且可能被忽视。随着机器人和编码代理在软件开发中日益普及，它们如何参与漏洞沟通成为新问题。本研究基于AIDev-pop数据集，计划分析pull request的标题、描述、审查评论、提交消息和时间线讨论中的显式漏洞引用和隐式安全信号。进一步探究这些引用是否与修改代码中引入或修复的漏洞相关，以及它们如何影响pull request的审查活动和结果。研究贡献在于提供大规模实证调查，揭示现代软件开发中漏洞沟通实践的现状，并比较不同参与者（人类、机器人、代理）的沟通模式。该方法有助于提升安全团队对漏洞讨论的可见性，并为自动化安全分析工具的设计提供依据。

本文研究了SSH蜜罐中非交互式攻击的普遍性。传统蜜罐设计假设攻击者会登录、打开shell并输入命令，但作者通过部署11个同时支持交互式和非交互式会话的SSH蜜罐，在15天内收集了177,622个认证会话，并使用独立的Cowrie数据集进行验证。结果发现99.23%的会话是非交互式的，仅0.10%为交互式会话。这一发现表明，专注于交互式shell或依赖会话长度和命令数量来评估成功的蜜罐可能会错过绝大多数认证攻击，导致对攻击者行为的错误理解。研究强调了非交互式攻击（如自动化工具、脚本执行）的重要性，并建议蜜罐设计应包含非交互式会话的检测能力。

本文针对量子多方阈值隐私集合交集（TPSI）问题提出了一种新协议。传统TPSI要求只有当交集基数达到预设阈值时才揭示交集，而现有量子TPSI协议通常依赖第三方（TP）解读最终结果，偏离了显式基数测试的范式。本文设计了一种基于旋转的量子构造，其中单光子序列依次经过参与方数据旋转、TP-参与方掩码旋转以及相关聚合旋转，生成隐藏标签测量向量。TP虽然能完成最终测量，但无法解读结果的语义含义。在此基础上，本文通过基于不经意线性评估（OLE）的内积过程和轻量级乱码电路实现阈值决策，仅输出交集基数是否大于等于阈值的指示函数，再根据条件重构交集。文章证明了协议的正确性和安全性，并在IBM Qiskit平台上通过量子电路仿真验证了可行性。该工作为后量子密码学中的安全多方计算提供了新思路，特别适用于需要隐私保护且只关心交集是否达到特定规模的场景。

该论文提出了一种名为 SHARD 的防御方法，旨在保护密集向量检索（如语义搜索和 RAG）中的嵌入向量不被反演攻击。现有攻击利用密集嵌入的全局几何结构，通过少量已知对齐对即可恢复秘密全局旋转（正交 Procrustes 方法）。SHARD 的核心思想是将中心化后的嵌入拆分为两部分：一个短的公共前缀（用于第一级检索）和一个私有的残差向量。残差向量被分片到 C 个单元中，每个单元使用独立的秘密密钥，并在 CKKS 同态加密下进行重排，密钥在计算中抵消，从而保留精确内积。参数 C 可调，从全局线性基线（C=1）到每个文档独享微密钥（C=N）。由于重排是全维度的，SHARD 可以恢复半 SVD 截断所牺牲的 nDCG@10 精度。同时，残差的密钥化单元使得在已知明文字典泄漏下，将残差映射回公共坐标系所需的锚点数量大约增加 C 倍（中位数从 200 到 102,400，当 C=256 时），且仅需少量加密查询。公共前缀泄露的邻域结构远少于全局嵌入，而微密钥机制使残差图在不可链接、可更新的模板下趋于零。该防御可抵抗学习型、非线性和无监督的对齐攻击。论文也坦承了局限性：单元内密钥相互抵消，目标攻击者只需约 d_priv 个锚点；若存在重叠的参考语料库，前缀仍可能泄露信息。SHARD 是一种攻击感知的几何防御，而非密码学保证。

该论文挑战了网络欺骗研究中一个常见但未经检验的假设：诱饵可以放置在攻击者可能经过的任何位置。作者针对MITRE ATT&CK v18.1框架中的所有250种攻击技术，引入了一个四准则评估体系来判断基础设施诱饵的可行性。该准则包括：防御者控制的诱饵是否可以放置、攻击者是否可能与之交互、交互能产生哪些情报、以及交互能否可靠地指示恶意行为。评估结果显示，仅有80种技术（32%）允许放置攻击者可能触及的诱饵，其余170种技术中，攻击者路径上根本不存在防御者可控制的资产以供伪造。诱饵放置模式分为两类：Sweep（攻击者在范围内广泛移动时偶遇诱饵）和Seek（攻击者主动寻找特定资产时与伪造版本交互）。此外，论文发现诱饵通常具有情报价值，但攻击者是否与之交互、交互是否可靠指示恶意行为因技术而异。作者公开了评估框架、决策规则以及逐技术评估结果，为未来的欺骗研究和部署规划提供了可审计的基线。该工作表明，不能假设基础设施诱饵适用于所有攻击者行为，部署计划需要根据具体技术特性进行定制。

该论文针对硬件性能测试报告的可信度问题提出了一种自验证的测量记录方法。当前硬件基准测试结果通常依赖读者信任，但实际中可能存在硬件错误（例如每千个核心中约有一个返回无错误提示的错误算术结果）。作者构建了一种防篡改、可独立验证的测量记录结构：论文中每个文本、表格或图表中的数值通过其内容哈希绑定到对应的观测和验证过程；整个记录构成一个哈希链接的仅追加结构（测量透明度日志），验证者无需信任生产者即可离线审计。对于矩阵乘积等运算，采用概率性身份验证（Freivalds算法），在浮点误差分析推导的容差范围内以O(k n^2)成本进行检验，错误乘积被拒绝的概率为1-2^{-k}；其他无法进行此类验证的量则附带代数校验和以及可重复性类别。进一步将检查本身视为安全对象：承诺用于离线可重复性的探针种子构成攻击面，而探针感知的对手可以在探针的零空间中隐藏破坏，甚至欺骗大多数位相同的见证者；通过从声称输出派生的Fiat-Shamir挑战可消除此漏洞。实验表明，从未授权租户的访问层面使用di/dt功率病毒和热浸泡驱动设备，既不会改变校准容差也不会产生静默错误，从而将物理故障威胁限定在罕见缺陷部件或特权攻击者，并标记了记录必须与硬件信任根组合的边界。作者在Blackwell和Hopper GPU上演示了该构造，并报告了不同精度、规模和设备下的残差底限和可重复性映射。

传统高性能计算（HPC）系统架构以速度为核心，而高安全计算机系统通常需要牺牲速度来换取安全性。然而，生命科学等众多科学领域需要同时具备高性能和安全性，以便大规模处理敏感数据。本文提出了RAMSES（Research Accelerator for Modeling and Simulation with Enhanced Security），一个从底层设计的安全增强型HPC系统，旨在在强大的安全框架内提供高性能。RAMSES集成了AMD处理器的硬件级内存加密技术，并结合IBM Storage Scale和Thales CipherTrust管理器的最先进文件加密方案，构建了一个在整个数据生命周期（静态、传输、使用中）均实现持续加密的HPC平台，符合欧洲通用数据保护条例（GDPR）、ISO/IEC 27001认证和联邦信息处理标准（FIPS）等主要数据保护标准。此外，系统实现了高级操作系统加固、多层安全架构和强制性多因素认证，使HPC环境适应更高的安全需求。来自生物医学领域的基准测试结果表明，安全环境对性能的影响有限，证明了在保持系统一致性、灵活性和用户友好性的前提下，可以实现速度与安全这两个相互冲突要求的整合。本文适合HPC架构师、安全工程师以及对安全敏感数据处理感兴趣的研究人员阅读。

这篇论文提出并证明了一个抽象障碍定理：在局部句法系统（local syntactic system）中，句法分离（syntactic separation）蕴含计算不可区分性（computational indistinguishability）。具体地，对于作用在半径 r0 内项上的局部句法系统 R，如果两个 Skolem 函数在 R 中被句法分离，则没有推导能够证明它们的等价性（情况1）。此外，任何合理的局部扩展都需要 Ω(n) 步才能打破这种分离，在基于子句-配置编码下下界提升至 Ω(2^n)（情况2）。这两个下界都是新的：推导长度下界在 Skolem 化或饱和证明的先前文献中未出现过；而密码学解读——将句法分离视为密文不可区分性，推导成本视为可忽略优势——是原创性的。论文还展示了相同的障碍（作为情况1和情况2的正式实例）支配着 Razborov 和 Rudich 的自然证明障碍（Natural Proofs barrier）、类型省略定理（Type Omitting Theorem）以及 Loff 等人（2026）的无条件 AC^0 障碍。该工作属于理论与逻辑安全领域，适合对密码学基础、证明复杂度以及电路复杂度障碍感兴趣的研究者阅读。

该论文研究有限阿贝尔商群的横向差数（transversal difference number）δ(G,H)，定义为对于有限阿贝尔群H≤G，所有横截T⊆G（即G/H的一个陪集代表系）的差集D(T)=T-T的最小基数。该不变量与有限阿贝尔分解、平铺补集以及小和集问题相关，其动机源于环面同态加密中CRT变换的域伽罗瓦标签的最新工作。论文证明了若干结果：一般下界δ(G,H) ≥ 2|G/H| - m(G,H)，其中m(G,H)是与H不交的G的最大子群的阶；该界在循环商群情形是紧的；利用Kneser定理得到交叉横截估计，从而导出精确乘积族（一个非分裂循环坐标与任意分裂因子）。特别地，论文识别出第一个真正非平凡的残余障碍：相同素数平方平面情形 G = (Z/p²Z)², H = pG。对于奇素数p，该情形是论文的技术核心，此时横截是函数F_p²→F_p²的图，D(T)分解为进位修正的有限域导数像。论文猜想对所有奇素数p有δ(G,H)=(2p-1)²，证明无条件下界3p²-p-1，并给出小素数、概率论和固定多项式证据支持该猜想。该结果主要对从事代数数论、有限域上组合问题以及同态加密基础理论的研究人员具有参考价值。

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

A stack overflow was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

A double free issue was addressed with improved memory management. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A memory corruption issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

The issue was addressed with improved input validation. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may exfiltrate data cross-origin.

A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Visiting a website may leak sensitive data.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A type confusion issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

A cross-origin issue was addressed with improved tracking of security origins. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may disclose sensitive user information.

A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious web extension may be able to cause an unexpected process crash.

The issue was addressed with improved memory handling. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

This issue was addressed with improved input validation. This issue is fixed in iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. An app may be able to cause unexpected system termination or corrupt kernel memory.

The issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. A malicious website may be able to process restricted web content outside the sandbox.

The issue was addressed with improved memory handling. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to an unexpected process crash.

Cross Site Request Forgery vulnerability in Squidex.io Squidex CMS v.7.21.0 and before allows a remote attacker to escalate privileges via the IdentityServer account profile endpoint

Mixpost through 2.6.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers by crafting malicious OAuth callback URLs with unsanitized error query parameters. Attackers can exploit the OAuth callback controller's failure to sanitize error parameters before rendering them through Laravel flash m

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.

A security flaw has been discovered in seladb PcapPlusPlus 25.05. This impacts the function pcpp::ModbusLayer::getLength in the library Packet++/header/ModbusLayer.h of the component Modbus Protocol Handler. The manipulation of the argument length results in heap-based buffer overflow. The attack can be launched remotely. A high complexity level is associated with this attack. The exploitability i

Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.

Improper neutralization in the Snowpark annotation processor callback template in Snowflake CLI versions prior to 3.19 allowed arbitrary code execution during application bundling or deployment. An attacker could exploit this by supplying crafted project content that is interpolated into generated Python code, causing Snowflake CLI to execute attacker-controlled code in the local context of the us

## Summary **Description** An Improper Authentication (CWE-287) issue in OpenAM's OAuth2 private_key_jwt client authentication path allows any registered OAuth2 client to mint tokens in the name of any other client whose key is published via a jwks_uri, without knowing the victim's signing key. This affects OpenAM Community Edition through version 16.0.6 and was patched in version 16.1.1. ## Im

## Summary **Description** A Protection Mechanism Failure (CWE-693) in OpenAM's server-side scripting sandbox allows an authenticated script author execute operating-system commands from the OpenAM JVM with the default class allow and deny lists. This impacts OpenAM Community Edition through version 16.0.6. This issue was patched in version 16.1.1. ## Impact An authenticated user (for example,

The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execut

Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions. This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.

rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to load an arbitrary shared library. Because the process retains elevated privileges during module loadin

NLTK version 3.9.4 is vulnerable to a path traversal attack due to an incomplete fix for GitHub Issue #3504. The `_UNSAFE_NO_PROTOCOL_RE` regex in `nltk/data.py` checks for literal `../` sequences but fails to account for percent-encoded traversal sequences such as `..%2f`. The `url2pathname()` function decodes these sequences after the validation step, allowing an attacker to bypass the protectio

A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.

A buffer overflow in the Get_Attribute_List function of EIPStackGroup OpENer commit 76b95c allows attackers to cause a Denial of Service (DoS) via supplying a crafted Common Packet Format (CPF) packet.

Strapi users-permissions plugin fails to restrict JWT algorithms when plugin::users-permissions.jwt.algorithm is not explicitly configured, allowing acceptance of HS384 and HS512 tokens alongside HS256. Attackers possessing the jwtSecret can mint tokens with non-standard HMAC variants to bypass algorithm restrictions and weaken authentication controls.

A heap buffer overflow in the TS7Worker::PerformFunctionWrite() function (/core/s7_server.cpp) of snap7 v1.4.3 allows attackers to cause a Denial of Service (DoS) via a crafted packet.

## Summary The `checkUserPassword` GraphQL query in Dgraph is vulnerable to DQL (Dgraph Query Language) injection. User-supplied password values are interpolated directly into a DQL `checkpwd()` query via `fmt.Sprintf` without any escaping or parameterization. An attacker can inject a password containing a double-quote character to break out of the DQL string literal and append arbitrary DQL quer

PBackupVSS.exe in Matrix42 Empirum before 25.5 and 26.x before 26.2 creates a named pipe (\\.\pipe\PBackupVSS) with a DACL that grants GENERIC_READ and GENERIC_WRITE permissions to all authenticated users. A low-privileged local attacker can connect to this pipe and send crafted IPC messages to trigger execution of arbitrary commands with SYSTEM privileges via an untrusted search path. This allows

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in the number guess example for Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that have reached end of support may also be affected. User

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty authorisation constraints were not included when the effective web.xml was logged. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support

Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat's rewrite valve meant that if the first condition in an OR chain matched, subsequent non-OR conditions were skipped. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100. Other versions that have reached end of support m

JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the

Improper Authentication vulnerability in Apache Tomcat allowed a replay attack against the EncryptionInterceptor in the cluster component. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, whi

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1 through 10.1.36, from 9.0.0.M1 through 9.0.100, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. U

JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whit

Improper Authorization vulnerability in Apache Tomcat leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions that

Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM based connector. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which fixes the issue.

luci-app-tailscale-community contains a command injection vulnerability in the tailscale.do_login RPC method that allows authenticated users to execute arbitrary commands as root. The vulnerability exists because user-controlled loginserver and loginserver_authkey parameters are improperly quoted within a double-quoted shell command, allowing shell substitutions like $() to be evaluated by the out

CSS::Minifier::XS versions before 0.14 for Perl have a memory leak when the entire document is minified away. The minify function has a memory leak when processing a document containing only characters to be removed, such as comments and whitespace.

A flaw was found in p11-kit. The RPC message attribute parsing functions p11_rpc_message_get_attribute() and p11_rpc_message_get_attribute_array_value() form a mutually-recursive call chain with no recursion depth limit when processing nested CKA_WRAP_TEMPLATE, CKA_UNWRAP_TEMPLATE, and CKA_DERIVE_TEMPLATE attributes. An unauthenticated attacker with local access to the p11-kit RPC Unix domain sock

Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.

Mythic before 3.4.0.60 contains an authorization bypass vulnerability in four REST endpoints (c2profile_config_check_webhook, c2profile_redirect_rules_webhook, c2profile_get_ioc_webhook, c2profile_sample_message_webhook) that fail to verify payload ownership. An operator in one operation can invoke these endpoints with a known payload UUID from another operation to access that operation's C2 profi

ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read ope

ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachmen

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to per

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or interc

Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.

Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.

Papermark through 0.22.0 contains a cross-origin resource sharing (CORS) misconfiguration vulnerability that allows unauthenticated remote attackers to perform credentialed cross-origin requests by exploiting the TUS-based viewer upload endpoint reflecting arbitrary request Origins with Access-Control-Allow-Credentials set to true. Attackers can lure authenticated victims to malicious pages that s

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tena

Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unautho

A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach fo

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL

Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.

Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notificatio

Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem.

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.

LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-F

A weakness has been identified in DeepMyst Mysti 0.4.0. Affected is the function _isTrackedConversation of the file src/managers/ChannelBridge.ts of the component Contact Tracking. This manipulation of the argument _channelType causes improper authorization. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The e

Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restr

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.

An authenticated stack-based buffer overflow vulnerability exists in the web management interface of TP-Link TL-WR841N v14. A remote authenticated attacker can send crafted HTTP requests to cause the embedded web server to overflow a stack buffer, resulting in a crash of the affected process. Successful exploitation results in a denial-of-service condition, causing the device to crash and automa

Insertion of sensitive information into log files in Snowflake CLI versions prior to 3.19 allowed plaintext credentials to be written to persistent local debug logs. An attacker could exploit this by obtaining read access to the affected user's local log files, causing credentials such as passwords, tokens, or private key material to be exposed without additional application-level safeguards. Succ

A vulnerability was determined in seladb PcapPlusPlus 25.05. The impacted element is the function pcpp::SSLClientHelloMessage::getHandshakeVersion of the file Packet++/src/SSLHandshake.cpp of the component TLS Hello Handler. Executing a manipulation of the argument handshakeVersion can lead to heap-based buffer overflow. It is possible to launch the attack remotely. This attack is characterized by

Honeywell IQ MultiAccess, all versions prior to and including version 28, contain an improper digital signature verification vulnerability. An attacker could potentially exploit this vulnerability, leading to the replacement of downloaded file with a malicious one. Honeywell also recommends updating to the most recent version of this product, service, or offering [V27 SP1, V28 SP1]

Improper restriction of file path resolution in Snowflake CLI versions prior to 3.19 allowed arbitrary local file content to be read and transmitted to Snowflake services. An attacker could exploit this by supplying crafted repository or project content that referenced files outside the intended project boundary, causing Snowflake CLI to read local files and upload or embed their contents during d

Improper handling of untrusted remote references in Snowflake CLI versions prior to 3.19 allowed server-side request forgery. The SQL statement reader's !source/!load directives could reference remote URLs that were retrieved at runtime without sufficient restriction on the request destination. By supplying crafted SQL content processed through a vulnerable command path, an attacker could cause th