CVE-2026-50287 Missing Authentication for Critical Function in @agenticmail/mcp

AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can...

CVE-2026-41567

CVE-2026-41567 affects Docker Engine and Moby earlier than 29.5.1 / moby/moby v2 before v2.0.0-beta.14. When uploading a compressed archive to a container via PUT /containers/{id}/archive or piping with docker cp -, the daemon resolves decompression binaries from the container filesystem rather t...

CVE-2026-45610 WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

WWBN AVideo is an open source video platform. In 29.0 and earlier, there is a cross-site request forgery vulnerability on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and...

MAL-2026-4888 Malicious code in @cloudplatform-single-spa/arenadata-db (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

CVE-2026-45335

WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=InternoControle...

WeGIA 输入验证错误漏洞

WeGIA is a network manager for welfare institutions developed by Nilson Lazarin as an individual project. Versions of WeGIA prior to 3.7.3 contained a vulnerability related to input validation errors. This vulnerability stemmed from the lack of validation or restrictions on the nextPage parameter...

AVideo: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA

Summary Type: Cross-site request forgery on the 2FA toggle. plugin/LoginControl/set.json.php accepts POST type=set2FA value=false, calls LoginControl::setUser2FAUser::getId, false on the session-authenticated user, and returns. There is no forbidIfIsUntrustedRequest call, no isTokenValid check, n...

SUSE CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

Rclone 1.45.x < 1.73.5 Authentication Bypass (CVE-2026-41176)

The version of Rclone installed on the remote host is 1.45.x prior to 1.73.5. It is, therefore, affected by an authentication bypass vulnerability: - The RC endpoint options/set is exposed without AuthRequired, but it can mutate global runtime configuration, including the RC option block itself. ...

CVE-2026-41176

A flaw was found in Rclone, a command-line program designed for synchronizing files with various cloud storage providers. An unauthenticated attacker can exploit an exposed Remote Control RC endpoint, options/set, to disable the authorization mechanism for other RC methods. This vulnerability...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the options/set endpoint. An attacker can set rc.NoAuth=true and override default AuthRequired: true which can lead to unauthorized access to sensitive administrative functionality,...

CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

CVE-2026-41176

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. Starting in version 1.45.0 and pri...

GHSA-JFWF-28XR-XW6Q RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution

Summary The RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs... supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend,...

📄 dcontrol 1.0.9 Remote Code Execution

dcontrol version 1.0.9 suffers from an unauthenticated remote code execution vulnerability via the /control-api/monitor/open endpoint. Exploit Title: dcontrol v1.0.9 - Unauthenticated Remote Code Execution RCE Date: 2026-04-18 Exploit Author: Chokri Hammedi Vendor Homepage:...

CVE-2026-35396

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IsaidaControle. The...

CVE-2026-35473

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. T...

EUVD-2026-19506

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarId and nomeClasse=IentradaControle. T...

CVE-2026-35473

WeGIA (Web manager for charitable institutions) prior to version 3.6.9 contained an open redirect vulnerability in the /WeGIA/controle/control.php endpoint. The issue arises from an unvalidated nextPage parameter when the request uses metodo=listarId and nomeClasse=IentradaControle, allowing atta...

EUVD-2026-19504

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically through the nextPage parameter when combined with metodo=listarTodos and nomeClasse=EstoqueControle...