PT-2026-42694

Name of the Vulnerable Software and Affected Versions SQLAdmin versions prior to 0.25.1 Description The ajax lookup endpoint in application.py bypasses the is accessible access control check enforced by other endpoints. If a developer restricts model access by overriding is accessible, an...

Astra Linux – Vulnerability in symfony

Symfony is a PHP framework for web and console applications, along with a set of reusable PHP components. The ability to enumerate users was possible without requiring relevant permissions, as the handling differed depending on whether the user existed or not when trying to use the “switch users”...

CVE-2026-28481

OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader optional extension must be enabled that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403...

SUSE CVE-2026-24513

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors...

CVE-2026-24513

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors...

CVE-2026-24513

A security issue was discovered in ingress-nginx where the protection afforded by the auth-url Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors...

CVE-2023-40020

PrivateUploader is an open source image hosting server written in Vue and TypeScript. In affected versions app/routes/v3/admin.controller.ts did not correctly verify whether the user was an administrator High Level or moderator Low Level causing the request to continue processing. The response...

Malicious Package

Overview elf-stats-jubilant-wreath-403 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in elf-stats-jubilant-wreath-403 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47a3b02d3ad974ed775bcbe6004b57ef90b29e58e5a2c4e60d0f42424467e8a5 The package elf-stats-jubilant-wreath-403 was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-202799

Malicious code in elf-stats-jubilant-wreath-403 npm...

MAL-2025-192510 Malicious code in elf-stats-jubilant-wreath-403 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 47a3b02d3ad974ed775bcbe6004b57ef90b29e58e5a2c4e60d0f42424467e8a5 The package elf-stats-jubilant-wreath-403 was found to contain malicious code. Source: ghsa-malware...

The HTTP request was forbidden with client authentication scheme

Veeam Data Cloud for Microsoft 365 Configuration Check Notice On 2026-05-22, an update to the Veeam Data Cloud for Microsoft 365 services introduced a configuration check to proactively detect configuration issues that may cause the issue described in this article's Challenge section. The Cause a...

EUVD-2025-17592

Malicious code in bioql PyPI...

GHSA-XCH9-H8QW-85C7 Canonical LXD Project Existence Determination Through Error Handling in Image Get Function

Impact The LXD /1.0/images endpoint is implemented as an AllowUntrusted API that requires no authentication, making it accessible to users without accounts. This API allows determining project existence through differences in HTTP status codes when accessed with the project parameter...

SAP Business One Integration Framework 访问控制错误漏洞

SAP Business One Integration Framework is an integration solution for growing organizations. An access control error vulnerability exists in SAP Business One Integration Framework, which stems from insufficient security settings checking, and can be exploited by an attacker to cause a bypass 403...

Denial Of Service (DoS)

@directus/storage-driver-s3 is vulnerable to Denial Of Service DoS. The vulnerability is due to asset unavailability caused by excessive HEAD requests, which allows an attacker to trigger 403 errors for all assets and deny access across all Directus policies...

Directus's S3 assets become unavailable after a burst of HEAD requests

Summary There's some tools that use Directus to sync content and assets. Some of those tools use HEAD method, like Shopify, to check the existence of files. Although, when making many HEAD requests at once, at some point, all assets are being served as 403. Details When I was investigating this...

Directus's S3 assets become unavailable after a burst of malformed transformations

Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. Details When I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of sockets held on Agent on NodeHttpHandler wa...

GHSA-J8XJ-7JFF-46MX Directus's S3 assets become unavailable after a burst of malformed transformations

Summary When making many malformed transformation requests at once, at some point, all assets are being served as 403. Details When I was investigating this issue, I have found that after a burst of malformed asset transformation requests, the amount of sockets held on Agent on NodeHttpHandler wa...

Exploit for Code Injection in Vmware Spring_Framework

Project Spring4Shell CVE-2022-22965 Blocker Firewall Se...