Elastic Kibana 安全漏洞

Elastic Kibana is a data visualization dashboard software provided by the Elastic company. There is a security vulnerability in Elastic Kibana, which stems from improper input validation, potentially leading to privilege escalation. Users with Fleet management privileges and who are authenticated...

BIT-ARGO-WORKFLOWS-2026-42295 Argo Workflows: Exposure of artifact repository credentials

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

CVE-2026-33362

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label Android apps = 1.8.x latest observed, multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys...

CVE-2026-33362

The CVE-2026-33362 entry concerns the Meari IoT SDKs embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white‑label Android apps ≤ 1.8.x. The description states that multiple security‑critical secrets are hardcoded and shared, including API signing material, password‑transport...

CVE-2026-33362

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label Android apps = 1.8.x latest observed, multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys...

Meari IoT SDK 安全漏洞

Meari IoT SDK is a software development kit provided by Meari Corporation, aimed at intelligent device application development in the field of IoT communication and device management. The Meari IoT SDK contains security vulnerabilities, which stem from the hardcoding and sharing of multiple...

PT-2026-39644

In Meari IoT SDK builds embedded in CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and white-label Android apps = 1.8.x latest observed, multiple security-critical secrets are hardcoded and shared, including API signing material, password-transport keying, and service access keys...

Brute Force

Overview better-auth is a The most comprehensive authentication library for TypeScript. Affected versions of this package are vulnerable to Brute Force when rate limiting is enabled which it is by default. The protections of the getIp function, which constructs rate-limiting keys based on the exa...

CVE-2025-66467 Apache CloudStack: MinIO policy remains intact on bucket deletion

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, the previous owners can gain unauthorized read and write access to it by using the previously...

PT-2026-38916

Name of the Vulnerable Software and Affected Versions Apache CloudStack versions prior to 4.20.3.0 Apache CloudStack versions prior to 4.22.0.1 Description Missing MinIO policy cleanup during bucket deletion allows users to retain access to buckets they previously owned. If a different user creat...

WordPress plugin LatePoint 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

HAPI FHIR Core has Authentication Credential Leakage via Improper URL Prefix Matching on HTTP Redirect

ManagedWebAccessUtils.getServer uses String.startsWith to match request URLs against configured server URLs for authentication credential dispatch. Because configured server URLs e.g., http://tx.fhir.org lack a trailing slash or host boundary check, an attacker-controlled domain like...

CVE-2026-4217

A security vulnerability has been detected in XREAL Nebula App up to 3.2.1 on Android. This impacts an unknown function of the file in ai/nreal/nebula/flutterPlugin/CloudStoragePlugin.java of the component ai.nreal.nebula.universal. Such manipulation of the argument...

Vulnerabilities fixed in Splunk Enterprise and Splunk Cloud Platform

Splunk has fixed vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. The vulnerabilities are in several versions of Splunk Enterprise and Splunk Cloud Platform. They allow low-privileged users to bypass protections, view sensitive information, and abuse the REST API for user...

FBI Reports 1,900 ATM Jackpotting Incidents Since 2020, $20M Lost in 2025

The U.S. Federal Bureau of Investigation FBI has warned of an increase in ATM jackpotting incidents across the country, leading to losses of more than $20 million in 2025. The agency said 1,900 ATM jackpotting incidents have been reported since 2020, out of which 700 took place last year. In...

SandboxJS 安全漏洞

SandboxJS is a security assessment tool developed by nyariv. Versions of SandboxJS prior to 0.8.29 contained a security vulnerability. This vulnerability stemmed from the execution of validation keys that did not match the keys used to access properties, which could lead to sandbox escape...

PT-2026-6470

Summary RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive...

CVE-2026-22806

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user...