EUVD-2026-30620

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the validatecollectionaccess function uses an incomplete allowlist that only enforces ownership checks for collections matching user-memory- and file- patterns. All other collection...

CVE-2026-6478 PostgreSQL discloses MD5-hashed passwords via covert timing channel

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed...

CVE-2026-42092

titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscribe via DDP and receive sensitive configuration fields such as googlesecret, openaiapikey, and...

Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug

Summary The hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. Details The access contr...

CVE-2026-39381

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any...

CVE-2026-32897

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset. This allows attackers with access to system prompts sent to third-party model providers to de...

CVE-2026-24327

The CVE concerns SAP Strategic Enterprise Management (Balanced Scorecard in Business Server Pages) where a missing authorization check allowed an authenticated attacker to access information they should not view. The vulnerability impacts confidentiality with a LOW effect (C:L, I:N, A:N) and does...

CVE-2026-23477

Rocket.Chat is an open-source, secure, fully customizable communications platform. In Rocket.Chat versions up to 6.12.0, the API endpoint GET /api/v1/oauth-apps.get is exposed to any authenticated user, regardless of their role or permissions. This endpoint returns an OAuth application, as long a...

Amazon Linux 2023 : amazon-ssm-agent (ALAS2023-2025-1359)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1359 advisory. Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which a...

CVE-2024-49587

Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft

CVE-2025-24071 This is a python PoC...

EUVD-2019-6138

Malware in sbrugna...

EUVD-2015-3790

Malware in sbrugna...

EUVD-2001-1542

Malware in sbrugna...

EUVD-2015-1954

Malware in sbrugna...

EUVD-2017-1604

Malware in sbrugna...

EUVD-2021-0791

Malware in sbrugna...

EUVD-2024-54077

Malicious code in bioql PyPI...

EUVD-2024-44230

Malicious code in bioql PyPI...

EUVD-2021-28164

Malicious code in bioql PyPI...