Exploit for Reliance on Cookies without Validation and Integrity Checking in Paloaltonetworks Pan-Os

🚨 CVE-2026-0257 - Authentication Bypass Vulnerabilities...

Exploit for CVE-2026-29000

CVE-2026-29000: pac4j JWT Authentication Bypass PoC Proof...

Exploit for CVE-2025-5947

CVE-2025-5947 CVE-2025-5947 WordPress Service Finder Bookings...

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 CVSS score: 7.8, refers to a case of authentication bypass that could be exploited b...

Exploit for SQL Injection in Litellm

CVE-2026-42208 — LiteLLM Pre-Authentication SQL Injection A l...

CVE-2026-47274

pamusb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, multiple pamusb helper tools resolved external binaries through the PATH environment variable rather than using absolute paths. An attacker who can influence the process environment during PAM...

EUVD-2026-33445

A race condition in the shared Extreme Platform ONE IAM Gateway API-key authentication path could, under specific high-concurrency traffic conditions, intermittently allow requests authenticated with an Extreme Platform ONE /IAM-issued API key to receive response data for another tenant. The issu...

Projectworlds Gate Pass Management System SQL注入漏洞

The Projectworlds Gate Pass Management System is an open-source boarding pass management system developed by Projectworlds. Version 2.1 of the Projectworlds Gate Pass Management System has a SQL injection vulnerability. This vulnerability stems from the login and password parameters, which are...

PT-2026-45124

Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form...

PT-2026-45088

Name of the Vulnerable Software and Affected Versions Simple History versions prior to 5.26.1 Description The Simple History plugin for WordPress allows authenticated users with Subscriber-level permissions or higher to take over accounts. The issue exists in the event reaction endpoints...

YAMCS yamcs-core 5.12.7 - LDAP Injection

Exploit Title: YAMCS yamcs-core 5.12.7 - LDAP Injection Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 1 else "http://localhost:8090" base = target.rstrip"/" print"=" 65 print"...

RockyLinux 9 : dovecot (RLSA-2026:19364)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:19364 advisory. dovecot: ManageSieve: Denial of Service via crafted SASL initial response in AUTHENTICATE command CVE-2025-59032 dovecot: denial of service via crafted...

GHSA-3QG8-5G3R-79V5 praisonai-platform: JWT signing key defaults to hardcoded "dev-secret-change-me", allowing token forgery for any user when PLATFORM_ENV is unset

Summary Type: Insecure default cryptographic key. The JWT signing secret defaults to the hardcoded literal "dev-secret-change-me" when PLATFORMJWTSECRET is unset. A safety check exists but only fires when PLATFORMENV != "dev"; the default value of PLATFORMENV is "dev", so the check is silently...

Missing Authorization

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default

Summary CVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that: -...

GHSA-8444-4FHQ-FXPQ PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default

Summary CVE-2026-44338 GHSA-6rmh-7xcm-cpxj documents that PraisonAI ships a code-generator praisonai.deploy.api.generateapiservercode that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart praisonai deploy --type api get a server that: -...

stigmem-node's federation insecure transport settings may allow non-loopback cleartext federation

Impact Stigmem nodes with federation enabled could be configured to run without mTLS outside loopback-only local development. In affected deployments, federation traffic may traverse the network without the intended transport protection. Impacted users are operators who enabled federation and...

stigmem-node's federation peer token timestamp validation may reject valid peer tokens

Impact A mismatch in federation peer-token timestamp handling could cause valid peer tokens to be treated as expired. Impacted deployments are Stigmem nodes using federation peer authentication paths from affected versions. The primary impact is availability and reliability of authenticated...

stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback

Impact Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node ...

NileBank-Vulnerable-App

NileBank - Web Pen Testing Project A realistic bank web appli...