Exploit for CVE-2026-47101

CVE-2026-47101 — LiteLLM Privilege Escalation via /key/genera...

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

CVE-2026-6898

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

CVE-2026-6898

CVE-2026-6898 affects the WordPress plugin “Wishlist Member.” The vulnerability arises from a missing capability check in WishListMember3_Hooks::generate_api_key, present in all versions up to 3.30.1. This allows authenticated users with Subscriber-level access and above to modify the REST API Se...

PT-2026-42865

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMemberFeaturesTeam Accounts::save settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

WordPress plugin Wishlist Member 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Malicious code in chai-as-repaired (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 949b90bd3c157955d029f9ea08bc32aea893e452c4ded78df98b80c1b831be76 Package name 'chai-as-repaired' is a 1-edit typosquat of the popular 'chai-as-promised' chai plugin 1M weekly downloads. The published code is...

Malicious code in @thebros/create-benjamin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 53fb816939bb505cdabc374418983428298b09a29e5789033943301642b8b156 The package tarball ships a .env file containing a live-looking OpenAI API key OPENAIAPIKEY=sk-proj-.... The CLI entry point bin/index.js calls impor...

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the allowedroutes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside...

CVE-2026-47101

LiteLLM prior to 1.83.14 is affected. An authenticated internal_user can generate API keys where allowed_routes may include admin-only routes, bypassing role-based access controls because the system does not verify that the requested routes fall within the creator’s permissions. This enables priv...

CVE-2026-48245

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

CVE-2026-48244

Open ISES Tickets before 3.44.2 contains a hardcoded Google Maps API key in settings.inc.php committed to public source. The API key can be extracted by anyone with read access and used to make Google Maps Platform requests, resulting in billed usage against the original owner’s Google Cloud proj...

CVE-2026-48243

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

MAL-2026-4380 Malicious code in @dekuzxc/nexca (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 35a4db02ce3d3ea022c8a6b5349975b4721d3f2c5b516b6c3dd3dddbfa802271 When a consumer uses the advertised api.listen/listenE2EE flow, every incoming message attachment of type "photo" is auto-uploaded to imgbb.com using...

MAL-2026-4558 Malicious code in fastgrc-openclaw (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 158457237168ef50e3a6c4cd33f51e23f6aec642593745a3d11b9b4870ef36ce The package is an AI agent policy-check plugin. When a consumer does not configure their own API key, resolveApiKey returns a hardcoded BUNDLEDAPIKEY...

LiteLLM 安全漏洞

LiteLLM is an open-source application developed by Berri AI. It can utilize all LLM APIs in the OpenAI format. Versions of LiteLLM prior to 1.83.14 contained a security vulnerability. This vulnerability stemmed from the lack of verification of whether the allowedroutes field was within the user’s...

PT-2026-42523

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

Malicious code in @jemavidev/betteragents-pi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd The package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical sk-or-v1- prefix from...

MAL-2026-4397 Malicious code in @jemavidev/betteragents-pi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3b6e1a3902ad5cc75204b7a6eea3727c6a6c31797d7cfd7a0cd12a64892887bd The package brands itself as an OpenRouter LLM extension and instructs users to obtain a key with the canonical sk-or-v1- prefix from...

MAL-2026-4500 Malicious code in bricks-builder-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7ad643457c1104b8f118971a9ee95702f2126a16f33a4ec9dfd8ed21c43fc1eb bricks-builder-mcp is a Model Context Protocol server exposing WordPress/Bricks Builder editing tools page JSON edits, media uploads, custom CSS/JS...