PT-2026-43004

Insertion of Sensitive Information into Log File CWE-532 in some Command Centre Service installers could lead to Service Account credentials exposure. Mitigating Factor: Only sites that install Command Centre Services with a custom Service Account not the default Network Service account are...

PT-2026-42521

Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the origin...

CVE-2026-43881 WWBN AVideo: Unauthenticated User Enumeration in `objects/users.json.php` via `isCompany` Parameter Flips `$ignoreAdmin = true` and Defeats Admin-Only Listing Guard

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/users.json.php exposes two unauthenticated paths that disclose the full set of registered user accounts. The isCompany request parameter causes the handler to set $ignoreAdmin = true for any non-admin call...

CVE-2026-42865 Inbox Zero: Cross-account cleaner email stream exposure

Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated account to another authenticated account using the cleaner feature at the same time. This...

CVE-2026-42865

Inbox Zero is an AI personal assistant for email. Prior to version 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events from one authenticated account to another while using the cleaner feature. This represents a cross-account expo...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability that stems from the lack of proper type and namespace isolation in SingleUseObjectProvider. This vulnerability could allow attackers to delete single-use entries, thereb...

EUVD-2026-16632

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'. When processing media messages, it fetches user-controlled URLs 'MediaUrlN' parameters using HTTP requests that include the integration's Twilio credentials in the 'Authorization'...

PT-2026-26752

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.1.0 Description The Caldav endpoint allows login using Basic Authentication, which bypasses the TOTP for accounts with 2FA enabled. This allows access to project information normally protected by 2FA, such as projec...

CVE-2001-1571

The Remote Desktop client in Windows XP sends the most recent user account name in cleartext, which could allow remote attackers to obtain terminal server user account names via sniffing...

CVE-2025-66295

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path...

MAL-2025-191372 Malicious code in @voiceflow/semantic-release-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95a6c9bc458bfc9330434e338d86e85de8f5e6f5a2374749939e909a392268ad The package @voiceflow/semantic-release-config was found to contain malicious code. Source: ghsa-malware...

EUVD-2015-1455

Malware in sbrugna...

EUVD-2017-12881

Malware in sbrugna...

EUVD-2019-4331

Malware in sbrugna...

EUVD-2020-6465

Malware in sbrugna...

EUVD-2018-8747

Malware in sbrugna...

EUVD-2025-6072

Malicious code in bioql PyPI...

EUVD-2022-25554

Malicious code in bioql PyPI...

EUVD-2021-28731

Malicious code in bioql PyPI...

CVE-2025-40838 Ericsson Indoor Connect 8855 - Insufficiently Protected Credentials Vulnerability

Ericsson Indoor Connect 8855 contains a vulnerability where server-side security can be bypassed in the client which if exploited can lead to unauthorized disclosure of certain information...