Vane 访问控制错误漏洞

Vane is a privacy-oriented AI chatbot engine developed by Kushagra Srivastava. It supports both local and cloud models. Versions of Vane prior to 1.12.1 contained an access control vulnerability. This vulnerability stemmed from an unknown feature in the file route.ts within the component API, whi...

PT-2026-42934

A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is associated with this...

PT-2026-42932

A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's complexity is rated as...

ROS-20260524-73-0027

Vulnerability in docker-ce related to bypassing the authentication procedure by using an alternate path or channel. Exploitation of the vulnerability could allow an attacker acting remotely to bypass existing security restrictions...

CVE-2026-48133 Identity Awareness Captive Portal - Unauthenticated Local File Inclusion

Symptoms - When the Identity Awareness blade is enabled with Browser-Based Authentication, an unauthenticated user may be able to read certain internal files on the Security Gateway. - This issue affects: R82.10 with Jumbo Hotfix Take 6 or below R82 with Jumbo Hotfix Take 91 or below R81.20 with...

CVE-2026-48136 - Authenticated Administrator Role-Based Access Control Bypass in Compliance

Symptoms - When Compliance is enabled on Check Point Multi-Domain Management, an authenticated administrator with read-write access to one Management Domain CMA can modify stored metadata associated with Compliance Best Practices in another Management Domain, where the administrator has no access...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Ipados

dyld-signing-oracle-poc A controlled exploration of dyld's pa...

EUVD-2018-21863

Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that...

npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks

GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve a release prior to the packages becoming publicly available for installation. Called staged publishing, the feature is now generally available on...

MAL-2026-4469 Malicious code in @zaamx/netme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98 This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/ in multiple subscribers and admin routes, with no configuration...

RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers

Cybersecurity firm VulnCheck reveals hackers are using a critical 2018 vulnerability to bypass authentication and hack over a million ASUS routers...

Remote Code Execution (RCE)

9router is vulnerable to Remote Code Execution RCE. The vulnerability is due to missing authentication checks on /api/cli-tools/ and /api/mcp/ endpoints, which allows an attacker to chain unauthenticated API calls and execute arbitrary OS commands remotely...

CVE-2026-6898

CVE-2026-6898 affects the WordPress plugin “Wishlist Member.” The vulnerability arises from a missing capability check in WishListMember3_Hooks::generate_api_key, present in all versions up to 3.30.1. This allows authenticated users with Subscriber-level access and above to modify the REST API Se...

GHSA-HVV7-HFRH-7GXJ Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user ...

GHSA-JPJH-JM2P-39HH Arcane: Missing admin authorization on global variables endpoint

Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...

Arcane: Missing admin authorization on global variables endpoint

Summary The PUT /api/environments/id/templates/variables endpoint, which writes the system-wide .env.global file used for variable substitution in every project's compose file, is missing an admin authorization check. Any authenticated non-admin user can call this endpoint with their bearer token...

Parse Server: Pre-authentication denial of service via client version header regex backtracking

Impact An unauthenticated attacker who knows a publicly-known Parse Application ID can submit a single HTTP request whose client SDK version field contains adversarial input that triggers polynomial backtracking in a request-header parser. The parsing runs before session authentication and before...

CVE-2026-47280

Improper authentication in Azure Resource Manager ARM allows an unauthorized attacker to elevate privileges over a network...

CVE-2026-33843

Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network...

CVE-2026-41076

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker m...