Latest News

Security researchers exploited dozens of vulnerabilities in vehicle infotainment systems and EV chargers during the latest Pwn2Own contest at Automotive World 2026.

Mass scanning is underway for CVE-2026-20045, which Cisco tagged as critical because successful exploitation could lead to a complete system takeover.

GCVE would enhance global collaboration, flexibility, and efficiency in tracking security flaws. Duplicate entries and a decentralization policy may create more chaos for defenders.

### Summary Several public API endpoints return email addresses and non‑public records (e.g. open questions with isVisible=false). ### Details OpenQuestionController::list() calls Question::getAll() with the default showAll=true, returning invisible questions and their emails. Similar exposures exist in comment/news/faq APIs. ### PoC ``` curl -i -H 'Accept-Language: en' \ http://192.168.40.16/phpmyfaq/api/v3.0/open-questions ``` ### Impact Privacy exposure of email addresses and non‑public content; increased risk of phishing/scraping.

### Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. ### Details SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path. ### PoC Precondition: API enabled, any authenticated non‑admin user. - Log in as a non‑admin user. - Call backup endpoint. ``` curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40.16/phpmyfaq/api/v3.0/login curl -i -b /tmp/pmf_api_cookies.txt \ -X POST --data '4.0.16' \ http://192.168.40.16/phpmyfaq/api/setup/backup ``` ### Impact Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposu...

### Summary A logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression. ### Details In attachment.php, the access decision uses: ```($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])``` isset() returns true even when the right value is false, and the logic simplifies to $groupPermission for some permission modes. As a result, a user without dlattachment can still access the attachment. ### PoC Precondition: A non‑admin user exists; an attachment is associated to a FAQ record; records.allowDownloadsForGuests = false. Log in as a non‑admin user without dlattachment. Request the attachment download endpoint. ``` curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40....

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

US Customs and Border Protection is paying General Dynamics to create prototype “quantum sensors,” to be used with an AI database to detect fentanyl and other narcotics.

# CSA-2026-001: Tachyon ## Description **Name:** CSA-2026-001: Tachyon **Criticality:** Critical (Catastrophic Impact; Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) **Affected versions:** All versions of CometBFT **Affected users:** Validators and protocols relying on block timestamps ## Description A consensus-level vulnerability was discovered in CometBFT's "BFT Time" implementation due to an inconsistency between how commit signatures are verified and how block time is derived. This breaks a core BFT Time guarantee: "A faulty process cannot arbitrarily increase the Time value." ## Impact Downstream impact on chains affects any module, smart contract, or system that relies on the block timestamp. ## Patches The new CometBFT releases [v0.38.21](https://github.com/cometbft/cometbft/releases/tag/v0.38.21) and [v0.37.18](https://github.com/cometbft/cometbft/releases/tag/v0.37.18) fix this issue. The `...