// 漏洞研究
面向 AI 构建的网站和应用的漏洞研究。
针对 AI 生成的 Web 应用、BaaS 堆栈、前端打包、身份验证和依赖项安全的漏洞的来源支持笔记。
Mbed TLS Double-Free Vulnerability (CVE-2021-44732)
CVE-2021-44732 affects older Mbed TLS releases in a session-handling error path. FixVibe repo scans can now flag affected version evidence in source and build metadata, while making clear that the scan did not run Mbed TLS, force out-of-memory behavior, or prove exploitation.
全部研究
52 篇文章
Missing Authentication in Moxa NPort Series Devices (CVE-2016-9369)
Moxa NPort serial device servers before vendor fixed firmware releases are associated with CVE-2016-9369. FixVibe can flag strong HTTP model and firmware-version evidence as a version-based advisory during verified active scans without attempting firmware updates, unauthenticated administrative actions, or exploit confirmation.
Schneider Electric Modicon M221 Authentication Replay Advisory (CVE-2018-7790)
FixVibe can flag public Modicon M221 HTTP product and firmware-version evidence associated with CVE-2018-7790 as a version-based advisory. The scan does not replay authentication, query industrial protocols, upload PLC programs, or prove unauthorized access.
Langflow CORS Misconfiguration Enables Account Takeover and RCE (CVE-2025-34291)
GitHub, NVD, and CISA describe CVE-2025-34291 as a critical Langflow CORS issue affecting versions 1.6.9 and earlier. FixVibe covers it with a verified-target check that combines Langflow version and fingerprint evidence with credentialed CORS header reflection, without authenticating, reading tokens, triggering refresh flows, or proving code execution.
PickleScan ZIP Archive Scan Bypass (CVE-2025-10156)
FixVibe can flag repositories that declare PickleScan versions before 0.0.31, which public advisories associate with a ZIP archive scan-bypass issue. The scanner reports dependency evidence, affected range, fixed version, confidence, and what was not verified; it does not run PickleScan, create corrupted archives, load models, or prove code execution.
Malware in @tanstack/arktype-adapter Exfiltrates Credentials (CVE-2026-45321)
The TanStack npm supply-chain compromise included @tanstack/arktype-adapter versions 1.166.12 and 1.166.15. These package versions contained embedded malware; teams should remove them, rebuild cached install environments, and rotate credentials if either version was installed.
Arbitrary Code Execution in NLTK via Zip Slip (CVE-2025-14009)
NLTK versions through 3.9.2 are associated with CVE-2025-14009, a downloader Zip Slip advisory that can lead to arbitrary code execution when malicious or compromised packages are extracted. Upgrade to 3.9.3 or newer.
Apache Tomcat Sensitive Information Disclosure (CVE-2021-25122)
Apache Tomcat h2c request handling in affected 8.5.x, 9.0.x, and 10.0.x release lines can mix request headers and limited body data between users. Upgrade to 8.5.63, 9.0.43, 10.0.2, or newer for the release line in use.
Information Disclosure via Undocumented TRACK Method in Microsoft IIS 5.0
CVE-2003-1567 covers Microsoft IIS 5.0 TRACK behavior that can echo request content. FixVibe now reports this as a verified active-scan finding when target-specific, non-sensitive evidence shows legacy TRACK echo behavior, while clearly separating that evidence from proof of cookie theft or compromise.
Stack-Based Buffer Overflow in Orpak SiteOmat CGI Components (CVE-2017-14854)
FixVibe verified active scans can now identify strong Orpak SiteOmat BOS product and version evidence associated with CVE-2017-14854. Findings are reported as version-based advisories: FixVibe verifies the exposed SiteOmat version, not CGI crash behavior or code execution.
Microsoft ATL COM Initialization Advisory (CVE-2009-2493)
Microsoft ATL components and controls built with affected ATL headers can be exposed to CVE-2009-2493 under COM initialization conditions. FixVibe now treats this as covered by its repo source/build advisory for legacy Visual C++ ATL projects, without claiming build-machine patch state, deployed ActiveX or COM exposure, or live code-execution proof.
Apache Tomcat EncryptInterceptor Bypass (CVE-2026-34486)
FixVibe covers CVE-2026-34486 as a repo-scan version advisory for exact Apache Tomcat releases, while keeping clustering and plaintext-disclosure conditions explicit.
Information Disclosure in Microsoft Visual Studio ATL (CVE-2009-2495)
CVE-2009-2495 is an information-disclosure issue in Microsoft ATL-built components and controls. FixVibe covers it with MS09-035 repo scan evidence for legacy Visual C++ ATL build metadata, reported as source/build advisory context rather than exploit confirmation.
Critical Input Validation Vulnerability in PowerLogic EGX Gateways (CVE-2021-22765)
FixVibe already covers CVE-2021-22765 through the shipped PowerLogic EGX verified-active HTTP product/firmware advisory check. The detector flags public EGX100 firmware or EGX300 product evidence for the shared Schneider advisory family without sending crafted HTTP packets, authenticating, querying industrial protocols, crash-testing, or proving exploitability.
Traffic Interception in Kubernetes via ExternalIPs (CVE-2020-8554)
FixVibe repo scans can flag Kubernetes Service manifests that explicitly set non-empty spec.externalIPs as static source/config hardening evidence for CVE-2020-8554. The check does not inspect live clusters, RBAC, admission policy, deployed Services, or traffic paths.
Authentication Bypass in SiteOmat BOS (CVE-2017-14728)
SiteOmat BOS versions before 6.4.414.084 are associated with CVE-2017-14728. FixVibe reports strong public HTTP product/version evidence during verified active scans without attempting default credentials, SSH login, broad port scans, state-changing management actions, or unauthorized access.
Critical Remote Code Execution in PowerLogic EGX Gateways (CVE-2021-22768)
CVE-2021-22768 is an improper input validation issue in Schneider Electric PowerLogic EGX100 and EGX300 gateways. FixVibe covers the public HTTP product and firmware evidence for the affected range without sending crafted packets or attempting exploitation.
Sweet32: Birthday Attack Vulnerability in 64-bit Block Ciphers (CVE-2016-2183)
Sweet32 (CVE-2016-2183) affects encrypted sessions that negotiate DES or Triple DES (3DES) 64-bit block ciphers. The practical risk depends on attacker traffic visibility and enough data under long-lived session conditions, but public TLS endpoints should not negotiate these ciphers.
幽灵内容 API 中的 SQL 注入 (CVE-2026-26980) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 Ghost 版本 3.24.0 至 6.19.0 容易受到内容 API (CVE-2026-26980) 中关键 SQL 注入的攻击,从而允许未经身份验证的数据访问。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 Ghost 版本 3.24.0 到 6.19.0 在内容 CVE-2026-26980 中包含严重的 SQL 注入漏洞。这使得未经身份验证的攻击者可以执行任意 SQL 命令,从而可能导致数据泄露或未经授权的修改。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 Ghost 版本 3.24.0 到 6.19.0 容易受到内容 ZXCVFIXVIBETOKEN4ZXCV CVE-2026-26980 中严重 SQL 注入漏洞的影响。未经身份验证的攻击者可以利用此缺陷对底层数据库 API 执行任意 SQL 命令。成功利用该漏洞可能会导致敏感用户数据泄露或未经授权修改网站内容 ZXCVFIXVIBETOKEN2ZXCV。该漏洞的 CVSS 评分为 9.4,反映了其严重程度 ZXCVFIXVIBETOKEN3ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 该问题源于 Ghost 内容 ZXCVFIXVIBETOKEN3ZXCV CVE-2026-26980 中的输入验证不当。具体来说,应用程序无法在将用户提供的数据合并到 SQL 查询 API 之前正确清理用户提供的数据。这允许攻击者通过注入恶意 SQL 片段 ZXCVFIXVIBETOKEN2ZXCV 来操纵查询结构。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 受影响的版本 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 从 **3.24.0** 到 **6.19.0** 的 Ghost 版本容易受到此问题 CVE-2026-26980API 的影响。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## 修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 管理员应将其 Ghost 安装升级到版本 **6.19.1** 或更高版本,以解决此漏洞 CVE-2026-26980。此版本包含正确中和内容 ZXCVFIXVIBETOKEN2ZXCV 查询 API 中使用的输入的补丁。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## 漏洞识别 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 识别此漏洞需要根据受影响的范围(3.24.0 到 6.19.0)API 验证 CVE-2026-26980 软件包的安装版本。运行这些版本的系统被认为存在通过内容 ZXCVFIXVIBETOKEN3ZXCV ZXCVFIXVIBETOKEN2ZXCV 进行 SQL 注入的高风险。
Ghost versions 3.24.0 through 6.19.0 contain a critical SQL injection vulnerability in the Content API. This allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to data exfiltration or unauthorized modifications.
通过模板标签在 SPIP 中远程执行代码 (CVE-2016-7998) ZXCVFIXVIBESEND ZXCVFIXVIBESEG1 SPIP 3.1.2 及更早版本容易通过上传的 HTML 文件中的恶意模板标签受到远程执行代码的攻击。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG2 SPIP 版本 3.1.2 及更早版本在模板编辑器中包含漏洞。经过身份验证的攻击者可以上传带有精心设计的 INCLUDE 或 INCLURE 标记的 HTML 文件,以在服务器上执行任意 PHP 代码。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG3 ## 影响 ZXCVFIXVIBESEND ZXCVFIXVIBESEG4 经过身份验证的攻击者可以在底层 Web 服务器 CVE-2016-7998 上执行任意 PHP 代码。这允许完整的系统妥协,包括数据泄露、站点内容修改以及托管环境 ZXCVFIXVIBETOKEN1ZXCV 内的横向移动。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG5 ## 根本原因 ZXCVFIXVIBESEND ZXCVFIXVIBESEG6 该漏洞存在于 SPIP 模板编辑器和编译器组件 ZXCVFIXVIBETOKEN3ZXCV 中。处理上传的文件 ZXCVFIXVIBETOKEN4ZXCV 时,系统无法正确验证或清理特定模板标签内的输入。具体来说,编译器错误地处理 HTML 文件 ZXCVFIXVIBETOKEN5ZXCV 中精心制作的 CVE-2016-7998 或 ZXCVFIXVIBETOKEN1ZXCV 标签。当攻击者通过ZXCVFIXVIBETOKEN2ZXCV操作访问这些上传的文件时,恶意标签将被处理,导致PHP代码执行ZXCVFIXVIBETOKEN6ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG7 ## 受影响的版本 ZXCVFIXVIBESEND ZXCVFIXVIBESEG8 * SPIP 版本 3.1.2 和所有先前版本 CVE-2016-7998。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG9 ## 修复 ZXCVFIXVIBESEND ZXCVFIXVIBESEG10 将 SPIP 更新到 3.1.2 以上版本以解决此漏洞 CVE-2016-7998。确保文件上传权限严格限制于受信任的管理用户,并且上传的文件不会存储在 Web 服务器可以将其作为脚本 ZXCVFIXVIBETOKEN1ZXCV 执行的目录中。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG11 ## CVE-2016-7998 如何测试它 ZXCVFIXVIBESEND ZXCVFIXVIBESEG12 CVE-2016-7998主要通过两种方法检测该漏洞: ZXCVFIXVIBESEND ZXCVFIXVIBESEG13 1. **被动指纹识别:** 通过分析HTTP响应头或HTML源中的特定元标记,ZXCVFIXVIBETOKEN2ZXCV可以识别SPIP CVE-2016-7998的运行版本。如果版本为3.1.2或更低,则会触发高严重性警报ZXCVFIXVIBETOKEN1ZXCV。 ZXCVFIXVIBESEND ZXCVFIXVIBESEG14 2. **存储库扫描:** 对于连接 ZXCVFIXVIBETOKEN2ZXCV 存储库的用户,ZXCVFIXVIBETOKEN1ZXCV 的存储库扫描器可以检查 SPIP 源代码中的依赖文件或版本定义常量,以识别易受攻击的安装 CVE-2016-7998。
SPIP versions 3.1.2 and earlier contain a vulnerability in the template composer. Authenticated attackers can upload HTML files with crafted INCLUDE or INCLURE tags to execute arbitrary PHP code on the server.
