CVE-2026-31882 Dagu SSE Authentication Bypass in Basic Auth Mode

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

CVE-2026-31882

Summary: CVE-2026-31882 affects Dagu, a workflow engine. Before v2.2.4, when DAGU_AUTH_MODE=basic, SSE endpoints are accessible without credentials, allowing unauthenticated access to real-time DAG data, configurations, logs, and queue status via a flaw in buildStreamAuthOptions() where BasicAuth...

EUVD-2026-12087

Dagu: SSE Authentication Bypass in Basic Auth Mode...

GHSA-9WMW-9WPH-2VWP Dagu: SSE Authentication Bypass in Basic Auth Mode

SSE Authentication Bypass in Basic Auth Mode Summary When Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow...

Dagu: SSE Authentication Bypass in Basic Auth Mode

SSE Authentication Bypass in Basic Auth Mode Summary When Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow...

Microsoft Windows Malicious Script File Generator

This PHP script generates a malicious .WSF Windows Script File containing both VBScript and JScript payload blocks. The payload runs arbitrary system commands through WScript.Shell...

PT-2026-25364

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGU AUTH MODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

CVE-2026-3969 FeMiner wms Basic Organizational Structure depart_add_bg.php sql injection

A vulnerability was detected in FeMiner wms up to 1.0. This impacts an unknown function of the file /wms-master/src/basic/depart/departaddbg.php of the component Basic Organizational Structure Module. Performing a manipulation of the argument Name results in sql injection. The attack may be...

CVE-2026-3969

CVE-2026-3969 affects FeMiner wms up to 1.0. The vulnerability lies in /wms-master/src/basic/depart/depart_add_bg.php (Basic Organizational Structure Module): manipulating the Name argument enables SQL injection. Attack vector is network with low complexity and no privileges required; remote expl...

MAL-2026-1351 Malicious code in faaladorcli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b0c3b79e20d5c0305695699a443c35baf74deda90bad7263cd0b3f9bd3613572 During installation or import, the package exfiltrates basic information in a dependency confusion attempt. The user identifies themselves as a HackerOne user...

MAL-2026-1350 Malicious code in falador (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1d66c45b27d4ff7595d8a13a91515450c248dc50a6531199f0254bbd9d6440bb During installation or import, the package exfiltrates basic information in a dependency confusion attempt. The user identifies themselves as a HackerOne user...

CVE-2026-30980

iccDEV contains a stack overflow in CIccBasicStructFactory::CreateStruct() that can lead to uncontrolled recursion/stack exhaustion and crash. Affected versions are prior to 2.3.1.5; the issue is fixed in 2.3.1.5. Upgrade to 2.3.1.5 to remediate.

Multiple Cisco Products Snort 3 Visual Basic for Applications DoS Vulnerabilities (cisco-sa-ftd-snort3-vbavuls-96UcVVed_CVE-2026-20053_CVE-2026-20054_CVE-2026-20057)

According to its self-reported version, Cisco ASA Software is affected by multiple vulnerabilities. - Multiple Cisco products are affected by a vulnerability in the Snort 3 VBA feature that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to crash. This...

CVE-2026-3701

A security vulnerability has been detected in H3C Magic B1 up to 100R004. Affected by this vulnerability is the function EditBasicSSID5G of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclos...

CVE-2026-3701

A security vulnerability has been detected in H3C Magic B1 up to 100R004. Affected by this vulnerability is the function EditBasicSSID5G of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclos...

CVE-2026-3701 H3C Magic B1 aspForm Edit_BasicSSID_5G buffer overflow

A security vulnerability has been detected in H3C Magic B1 up to 100R004. Affected by this vulnerability is the function EditBasicSSID5G of the file /goform/aspForm. Such manipulation of the argument param leads to buffer overflow. The attack can be executed remotely. The exploit has been disclos...

MAL-2026-1275 Malicious code in hostlists-plugins-default (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 21b72625bb74661ae95d3317fe4384105bb6dd6d026b049f84a192aeeeeae9df Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

SiYuan 安全漏洞

SiYuan is a privacy-oriented personal knowledge management system developed by SiYuan. Versions of SiYuan prior to 3.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the /api/query/sql interface, which only checked basic authentication, potentially allowing arbitrary SQL...

CVE-2026-23809

A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation m...

AI Gateway secret API accepts `$ENV_VAR` references and can be remotely abused to exfiltrate server-side environment credentials to an attacker-controlled upstream endpoint. And the leaked credentials can be further leveraged to break security boundaries.

Analyzed project versions: Current target branch: master Current HEAD: dc8ef3cbbefccf7384f4e3023492aae635c5d5d0 Fix 403 Forbidden for artifact list via query param when defaultpermission=NOPERMISSIONS 21220, commit date: 2026-03-04 The vulnerability is that AI Gateway secrets allow...