CVE-2026-54157 LobeHub: Unauthenticated SSRF in `/webapi/proxy`

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.57, the /webapi/proxy endpoint on app.lobehub.com accepts a URL in the POST body and fetches it server-side without any authentication. An attacker can use this to make...

Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Summary The SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a...

EUVD-2026-28400

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

EUVD-2026-26081

The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials...

CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

GHSA-3J3Q-WP9X-585P kcp's cache server is accessible without authentication or authorization checks

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...

CVE-2026-23767

ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection...

The vulnerability of the Git-based software platform for collaborative code development on GitLab EE/CE lies in the lack of authentication mechanisms. This allows attackers to compromise the integrity of the protected information.

The vulnerability of the Git-based software platform for collaborative code development in GitLab EE/CE relates to the absence of authentication. Exploiting this vulnerability allows a malicious actor to remotely influence the integrity of the protected information...

The vulnerability of the org.xwiki.platform:xwiki-platform-component-wiki component of the XWiki Platform, a platform for creating collaborative web applications, allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the org.xwiki.platform:xwiki-platform-component-wiki component of the XWiki Platform involves the absence of authentication. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

The vulnerability of the Password Autofill component in operating systems such as visionOS, iOS, iPadOS, MacOS, and watchOS allows attackers to read and write arbitrary files.

The vulnerability of the Password Autofill component in the visionOS, iOS, iPadOS, MacOS, and watchOS operating systems is related to the absence of authentication. Exploiting this vulnerability allows attackers to read and write arbitrary files...

PT-2022-3089 · Motorola · Motorola Moscad +1

Name of the Vulnerable Software and Affected Versions: Motorola MOSCAD and ACE line of RTUs through 2022-05-02 Description: The issue concerns the omission of an authentication requirement in the Motorola MOSCAD and ACE line of RTUs. These devices feature IP Gateway modules that allow for...

PT-2022-10288 · Atune · Atune

Name of the Vulnerable Software and Affected Versions: atune versions prior to 0.3-0.8 Description: The issue allows an attacker to escalate local privileges or modify any file by accessing the local atune URL interface. This can be achieved by logging in as a local user and running a curl comman...

CVE-2020-17473

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.020190723 allows an attacker to obtain a long-lasting token by impersonating the server...

The vulnerability of the Granit-Navigator-6.18 device’s built-in software lies in the absence of a mechanism to verify the authenticity of users performing modifications to the device’s built-in software. This allows attackers to carry out modifications to the software, thereby enabling complete system compromise.

The vulnerability of the embedded software of the “Granit-Navigator-6.18” device lies in the absence of a mechanism for verifying the authenticity of users performing modifications to the embedded software. Exploiting this vulnerability allows an attacker to modify the embedded software, thereby...