CVE-2025-41118

Pyroscope (open-source continuous profiling DB) is affected when configured to use Tencent COS as the storage backend. The issue allows extraction of the secret_key configuration value from the Pyroscope API due to missing type protection, potentially exposing sensitive credentials to an attacker...

CVE-2026-33212 Weblate: Improper access control for pending tasks in API

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

CVE-2026-33212

CVE-2026-33212 affects Weblate (web-based localization tool). The vulnerability lies in the tasks API where, in versions prior to 5.17, access control for pending tasks was not enforced, potentially exposing in-progress task logs to users without the proper scope. The attack requires brute-forcin...

Exploit for CVE-2025-24000

CVE-2025-24000 — Post SMTP Privilege Escalation Exploit Ov...

Exploit for Improper Access Control in Fortinet Forticlientems

CVE-2026-35616 - FortiClient EMS Pre-Authentication API Bypass...

BMC Control-M/MFT 安全漏洞

BMC Control-M/MFT is an enterprise-level file transfer and job scheduling integration management automation software developed by the American company BMC. Versions of BMC Control-M/MFT 9.0.22 and earlier contained security vulnerabilities. These vulnerabilities stemmed from hardcoded default deb...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 30, 2026 to April 5, 2026)

Last week, there were 56 vulnerabilities disclosed in 50 WordPress Plugins that have been added to the Wordfence Intelligence Vulnerability Database, and there were 38 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to...

CVE-2026-35479 InvenTree Plugin Installation - Insufficient Permissions

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...

CVE-2026-39322

PolarLearn (0-PRERELEASE-15 and earlier) is affected. The issue: POST /api/v1/auth/sign-in creates a valid session for banned accounts before password verification, and that session is accepted on authenticated /api routes, allowing account data access and authenticated actions as the banned user...

CVE-2026-5599

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

EUVD-2026-19085

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

CVE-2026-5599 API allows deletion of users of other instance

A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds...

CVE-2026-20042 Cisco Nexus Dashboard Configuration REST API Unauthorized Access Vulnerability

A vulnerability in the configuration backup feature of Cisco Nexus Dashboard could allow an attacker who has the encryption password and access to Full or Config-only backup files to access sensitive information. This vulnerability exists because authentication details are included in the encrypt...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

CVE-2026-33469

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config,...

CVE-2026-33469 Authenticated Frigate users can read the full unredacted configuration via `/api/config/raw

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config,...

CVE-2026-4312

GCB/FCB Audit Software developed by DrangSoft has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly access certain APIs to create a new administrative account...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

CVE-2026-20114

A vulnerability in the Lobby Ambassador web-based management API of Cisco IOS XE Software could allow an authenticated, remote attacker to elevate their privileges and access management APIs that would not normally be available for Lobby Ambassador users. This vulnerability exists because...

Protection Mechanism Failure

Overview Affected versions of this package are vulnerable to Protection Mechanism Failure through the fn process in the /wait endpoint, which embeds user-supplied input directly into executable JavaScript without enforcing the intended security policy. An attacker can execute arbitrary JavaScript...