[webapps] xibocms 3.3.4 - RCE
xibocms 3.3.
Vulnerability Disclosure
20 articles
What Anthropic Glasswing reveals about the future of vulnerability discovery
AI giant Anthropic has unveiled Project Glasswing, a cybersecurity initiative built around Claude Mythos Preview, a model it describes as “cybersecurity in t...
Hackers exploit critical flaw in Ninja Forms WordPress plugin
A critical vulnerability in the Ninja Forms File Uploads premium add-on for WordPress allows uploading arbitrary files without authentication, which can lead...
New CUPS vulnerabilities threaten RCE, network breaches
Attackers could combine a pair of newly discovered vulnerabilities in the Common Unix Printing System used by Linux and other Unix-like systems to facilitate...
A Little Bit Pivoting: What Web Shells are Attackers Looking for?, (Tue, Apr 7th)
Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many "arbitrary file write" and "remote code execution" ...
GrafanaGhost Vulnerability Allows Data Theft via AI Injection
GrafanaGhost is a critical vulnerability in Grafana’s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data.
Critical Flowise Vulnerability in Attacker Crosshairs
The improper validation of user-supplied JavaScript code allows attackers to execute arbitrary code and access the file system. The post Critical Flowise Vul...
GPU Rowhammer Attack Enables Privilege Escalation and Full System Compromise
GPUBreach uses GPU Rowhammer on GDDR6 to flip bits, corrupt page tables and escalate to system root
Malicious email delivers advanced malware with privilege escalation and evasion tactics
The attack chain begins with a user receiving an email containing a URL that downloads an encoded .cmd file.
Severe StrongBox Vulnerability Patched in Android
A critical DoS vulnerability in the Framework component of Android has also been fixed with the latest update. The post Severe StrongBox Vulnerability Patche...
GrafanaGhost Exploit Bypasses AI Guardrails for Silent Data Exfiltration
GrafanaGhost chains AI prompt injection and URL flaws to exfiltrate sensitive Grafana data
CUPS Vulnerabilities Could Allow Remote Attackers to Achieve Root-Level Code Execution
A team of AI-driven vulnerability hunting agents directed by security researcher Asim Viladi Oglu Manizada has discovered two critical security flaws in CUPS...
Windmill Developer Platform Flaws Expose Users to RCE Attacks, Proof-of-Concept Published
Cybersecurity researchers have discovered critical vulnerabilities in the Windmill developer platform and Nextcloud Flow, an integration embedding the Windmi...
GPUBreach Attack Could Lead to Full System Takeover and Root Shell Access
A newly discovered vulnerability dubbed “GPUBreach” demonstrates that GPU-based Rowhammer attacks can now achieve complete system compromise. Scheduled for p...
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication Apri...
GPUBreach exploit uses GPU memory bit-flips to achieve full system takeover
GPUBreach attack technique uses GPU memory bit-flips to escalate privileges and potentially take full control of a system. New research shows that attacks li...
Critical Android Flaw Allows Zero-Interaction Denial-of-Service Attacks
Google has rolled out its April 2026 Android Security Bulletin, addressing multiple vulnerabilities across the mobile operating system. The most alarming dis...
New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips
New academic research has identified multiple RowHammer attacks against high-performance graphics processing units (GPUs) that could be exploited to escalate...
Threat Actors Exploit LogMeIn Resolve, ScreenConnect in Phishing Campaigns
Threat actors are abusing legitimate remote monitoring and management (RMM) tools LogMeIn Resolve and ScreenConnect in a multi‑stage phishing campaign that b...
The case for fixing CWE weakness patterns instead of patching one bug at a time
In this Help Net Security interview, Alec Summers, MITRE CVE/CWE Project Lead, discusses how CWE is moving from a background reference into active use in vul...