CVE-2026-7428

CVE-2026-7428 affects Google Cloud AlloyDB for PostgreSQL. The vulnerability stems from insecure default administrative credentials that could be created by well-intended Terraform or REST API users before 2025-11-03, enabling a remote attacker to gain full administrative access to the database. ...

Limited path traversal via template API if using `{lang}` in config

None...

CVE-2026-41432

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

CVE-2026-6709

CVE-2026-6709 affects the WordPress plugin Coinbase Commerce for Contact Form 7 in versions up to and including 1.1.2. Root cause: missing capability check and nonce verification in the save_settings() function registered on the admin_post_cccf7_save_settings hook. Impact: authenticated attackers...

CVE-2026-6709 Coinbase Commerce for Contact Form 7 <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the savesettings function, which is registered on the adminpostcccf7savesettings...

CVE-2026-4663

The CVE-2026-4663 entry is linked to the WordPress payment plugin issue described by EUVD-2026-29394: the iPOSpays Gateways WC plugin for WordPress has a Missing Authorization vulnerability up to version 1.3.7. The root cause is a REST API endpoint exposed at /wp-json/ipospays/v1/save_settings wh...

CVE-2026-7626 Slek Gateway for WooCommerce <= 1.0 - Unauthenticated Insufficiently Protected Credentials via Payment Redirect Form Hidden Fields

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsbhandleslekpaymentredirect function placing the merchant's slekkey and sleksecret API credentials directly into a client-side HTML form, and additionally embedding the...

CVE-2026-7482

A flaw was found in Ollama. A remote attacker can exploit a heap out-of-bounds read vulnerability in the GGUF model loader by providing a specially crafted GGUF GGML Unified Format file to the /api/create endpoint. This allows the attacker to read beyond the allocated memory buffer, potentially...

atlas-mcp (=0.1.0), blackmaria (=0.1.0) +5 more potentially affected by unknown CVE via guardrails-ai (=0.10.0)

guardrails-ai PYPI version =0.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on guardrails-ai and may be impacted: - atlas-mcp =0.1.0 - blackmaria =0.1.0 - dao-ai =0.1.39, =0.0.0a0, =0.1.0, =0.1.3 Source cves: unknown CVE Source advisory:...

Malicious code in wot-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd781e61a7ca728623c44a900ca22a8cc58de2b93bcd797aeebe453ee6fa4f80 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3591 Malicious code in wot-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd781e61a7ca728623c44a900ca22a8cc58de2b93bcd797aeebe453ee6fa4f80 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3530 Malicious code in @uipath/api-workflow-tool (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d32baa584fef58e39e73ce0f2a965cccdbc83a96e6011743224267b3832d8759 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2026-39974

The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb handle slek payment redirect function placing the merchant's slek key and slek secret API credentials directly into a client-side HTML form, and additionally embeddin...

Pandora FMS 代码问题漏洞

Pandora FMS is a monitoring system developed by the American company Pandora FMS. This system provides visual monitoring of networks, servers, virtual infrastructure, and applications. There are code vulnerabilities in versions 777 to 800 of Pandora FMS, which stem from server-side request forger...

PT-2026-40127

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memory id are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

PT-2026-39963

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save settings function, which is registered on the admin post cccf7 save...

CVE-2026-31216

The CVE concerns the Nexent v1.7.5.2 backend service. The vulnerability lies in the file management API: DELETE /storage/{object_name:path} accepts a user-controlled object_name and is missing authentication, authorization, and input validation. This allows unauthenticated remote attackers to del...

Google Chrome 代码注入漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.168 contained a code injection vulnerability. This vulnerability stemmed from the SanitizerAPI component’s script injection mechanism, which could allow remote attackers to inject arbitrary scrip...

CVE-2026-31231

Cognee through v0.4.0 suffers a critical remote code execution via the notebook cell execution API endpoint. The endpoint executes user-provided Python code with unsafe exec() and no sandboxing or validation, allowing an attacker to send a crafted POST containing malicious code to achieve arbitra...

PT-2026-40462

Name of the Vulnerable Software and Affected Versions GoJobs affected versions not specified Description GoJobs is a REST API for a Job Board platform. The application contains a job retrieval endpoint that lacks proper authentication and authorization checks. This allows unauthenticated users to...