CVE-2026-7255

CVE-2026-7255 affects Zyxel WRE6505 v2 web management interface. The issue is an improper restriction of excessive authentication attempts, enabling an adjacent attacker on the LAN to brute-force the password and bypass authentication. Reported with a CVSS 3.1 base score of 6.5 (Medium) and an at...

CVE-2026-7255

UNSUPPORTED WHEN ASSIGNED An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00ABDV.3C0 could allow an adjacent attacker on the LAN to brute-force the password and bypass authentication...

CVE-2026-34263

SAP Commerce Cloud is affected by CVE-2026-34263 due to a Spring Security misconfiguration that allows an unauthenticated user to upload malicious configuration and inject code, enabling arbitrary server-side code execution. The entry states high impact to Confidentiality, Integrity, and Availabi...

CVE-2026-34263 Missing authentication check in SAP Commerce cloud configuration

Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity, and Availability of the application...

CVE-2026-45362

Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file...

MAL-2026-3433 Malicious code in @beproduct/nestjs-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eead7b1c6446924fec345e042b8bd966ea184deae755f876326cf99040f5f107 The package @beproduct/nestjs-auth was found to contain malicious code. Source: ghsa-malware...

CVE-2026-31241

The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint DELETE /memories. The endpoint allows unauthenticated users to delete memory records by specifying arbitrary user identifiers e.g., userid, runid, agentid in the request query parameters. A...

PT-2026-40455

Name of the Vulnerable Software and Affected Versions arduino-esp32 versions prior to 3.3.8 Description The WebServer Digest authentication implementation computes the authentication hash using the URI field from the client's Authorization header without verifying that it matches the actual...

Pandora FMS 安全漏洞

Pandora FMS is a monitoring system developed by the American company Pandora FMS. This system provides visual monitoring of networks, servers, virtual infrastructure, and applications. There are security vulnerabilities in the 777 to 800 version of Pandora FMS. These vulnerabilities stem from...

CVE-2026-31243

The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a CREATE...

GoJobs API 访问控制错误漏洞

The GoJobs API is a high-performance job platform REST API developed by Manav Mahesh Sanger. The GoJobs API has an access control vulnerability, which stems from the lack of authentication and authorization checks in the job retrieval endpoints. This vulnerability may allow unauthorized users to...

PT-2026-40049

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800...

PT-2026-40127

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memory id are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

PT-2026-40289

The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow...

PT-2026-40121

Horovod thru 0.28.1 contains an insecure deserialization vulnerability CWE-502 in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT...

Ivanti Endpoint Manager 安全漏洞

Ivanti Endpoint Manager EPM is a set of endpoint security managers developed by the American company Ivanti. Versions of Ivanti Endpoint Manager prior to EPM 2024 SU6 contained security vulnerabilities. These vulnerabilities stemmed from exposed dangerous methods on the core server, which could...

Parse Server 竞争条件问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were vulnerabilities due to concurrency issues in versions of Parse Server prior to 8.6.76 and 9.9.0-alpha.2. These vulnerabilities stemmed from concurrency...

mem0 安全漏洞

mem0 is an open-source benchmark tool for efficient memory algorithms developed by Mem0. Version 1.0.0 of mem0 contains a security vulnerability. This vulnerability stems from the lack of authentication and authorization controls in the memory deletion API endpoint, which could allow remote...

Pingvin Share 授权问题漏洞

Pingvin Share is a self-hosted file sharing platform developed by Elias Schneider as an individual project. Versions of Pingvin Share from 1.14.1 to 1.16.2 have vulnerabilities related to authorization. These vulnerabilities stem from critical authentication bypass exploits, which could allow...

Nginx UI 代码问题漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI 2.3.4 and earlier have code vulnerabilities. This vulnerability allows authenticated users to create cluster nodes that point to arbitrary internal URLs and send API requests with the X-Node-ID header, resulting in SSR...