PT-2026-37237

Name of the Vulnerable Software and Affected Versions Masa CMS versions 7.2.0 through 7.2.9 Masa CMS versions 7.3.0 through 7.3.14 Masa CMS versions 7.4.0 through 7.4.9 Masa CMS versions 7.5.0 through 7.5.2 Description The unauthenticated JSON API accepts an altTable parameter that is stored via...

PT-2026-37264

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100 Description Lack of sanitization in the set package data function allows a user with Perms.MODIFY permissions to specify arbitrary directories as download locations for a package. This occurs when passin...

PT-2026-37232

Name of the Vulnerable Software and Affected Versions Jupyter Server versions prior to 2.18.0 Description A path traversal issue in the REST API allows an authenticated user to escape the configured root dir and access sibling directories that share the same prefix as the root dir. By sending a...

PT-2026-37083

A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. Impacted is the function files of the file libs/chatchat-server/chatchat/server/api server/openai routes.py of the component OpenAI-Compatible File Upload API. Such manipulation of the argument file.filename leads ...

PT-2026-37249

Affected Version: OpenMage LTS ≤ 20.16.0 confirmed on 20.16.0 Affected File: https://github.com/OpenMage/magento-lts/blob/main/app/code/core/Mage/Api/Model/Session.php – start method Summary The XML-RPC / SOAP API session ID is generated using an outdated, time-based construction rather than a...

Masa CMS SQL注入漏洞

Masa CMS is a digital experience platform. Masa CMS has a SQL injection vulnerability, which stems from the unvalidated JSON API accepting the altTable parameter and storing it through the setAltTable method. This may allow unauthorized attackers to read sensitive data through arbitrary subquerie...

PT-2026-37079

Name of the Vulnerable Software and Affected Versions Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10 Description Inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously...

PT-2026-37301

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description An unauthenticated user can access the public endpoint "objects/plugins.json.php" to read the APISecret from the plugin object data. This secret can then be used to authenticate requests to the...

Google Chrome 跨站脚本漏洞

Google Chrome is a web browser developed by Google Inc. Versions of Google Chrome prior to 148.0.7778.96 had a cross-site scripting vulnerability. This vulnerability stemmed from improper implementation of the Sanitizer API, which could allow remote attackers to inject arbitrary scripts or HTML...

GHSA-PG67-9WJV-MR85 pyload-ng: non-admin SETTINGS users can redirect all outbound traffic through an attacker-controlled proxy via unrestricted `proxy.*` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The allowlist contains "proxy", "username" and "proxy", "password" — which protect the proxy credentials — but i...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the GET /api/settings process. An attacker can obtain sensitive configuration values, such as node.secret, by making authenticated requests, and subsequently abuse trusted-node authentication, exfiltrate...

AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

Summary The /api/internal/stationid/liquidsoap/action endpoint is accessible from the public web interface because it lacks the RequireInternalConnection middleware that protects other internal endpoints /sftp-auth, /sftp-event. Combined with a logic flaw where the $asAutoDj flag is set based on...

GHSA-4FM3-GGG2-C6QX AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

Summary The /api/internal/stationid/liquidsoap/action endpoint is accessible from the public web interface because it lacks the RequireInternalConnection middleware that protects other internal endpoints /sftp-auth, /sftp-event. Combined with a logic flaw where the $asAutoDj flag is set based on...

CVE-2026-42222

Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available...

CVE-2026-42223

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...

Incorrect Implementation of Authentication Algorithm

Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the too broad path-template matching in the runtime authentication layer. An attacker can cause sensitive authentication credentials to be sent to unintended endpoints that may...

ca.uhn.hapi.fhir:hapi-fhir-cli-api (>=6.10.0 <=6.10.5), ca.uhn.hapi.fhir:hapi-fhir-cli-app (>=6.10.0 <=6.10.5) +162 more potentially affected by CVE-2026-41901 via org.thymeleaf:thymeleaf-spring5 (>=3.0.9.RELEASE <=3.1.3.RELEASE)

org.thymeleaf:thymeleaf-spring5 MAVEN version =3.0.9.RELEASE, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =6.10.0, =1.19.0, =v1.1, =v1.2 - cn.haoxiaoyong.ocr.email:email-msg =v1.0 and more Source cves: CVE-2026-41901 Source advisory:...

Malicious code in rogiant-quick-install (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 efdebb03bb05b0da602f813ad321bbc81c658ac1bec059a5a7fa73fed277a53b During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

CVE-2026-7643

A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been...