EUVD-2026-31908

OpenCTI: Privilege escalation via graphQL API is abusable by organization admins, due to incorrect ACL on userEdit relationAdd...

Malicious code in telethon-pro-safe (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8bc2e515c2eb7bf73ea5d532cfb6701dcaf3dd95e9d8248ee3d426b1d0c1ed8c During installation, package executes obfuscated code that starts a RAT-like software allowing remote control and exfiltrating sensitive data. --- Category:...

EUVD-2026-32966

Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin bootstrap token and signing keys to any webpage the operator visits while the control plane is...

External Control of File Name or Path

Overview compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to External Control of File Name or Path via the -o/--output argument in the trestle author jinja. An attacker can overwrite arbitra...

OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints. Patch This will be address...

GHSA-V8V8-CM84-M686 OpenBao's cross-namespace lease revocation via legacy sys/revoke path bypasses ACL

Impact OpenBao's namespaces provide multi-tenant separation. A tenant who intentionally leaks lease identifiers can have their lease and underlying credential revoked or renewed by a user in another tenant via the legacy, undocumented sys/revoke and sys/renew endpoints. Patch This will be address...

CVE-2026-41160

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...

CVE-2026-41141

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...

Exploit for Incorrect Privilege Assignment in Litespeedtech Litespeed_Cpanel_Plugin

CVE-2026-48172 - LiteSpeed cPanel Plugin Vulnerability Auditor...

CVE-2026-34126

TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth rang...

CVE-2026-41141 EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...

CVE-2026-41141

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...

CVE-2026-41141

EspoCRM prior to 9.3.5 is vulnerable via POST /api/v1/EmailTemplate/:id/prepare where providing an emailAddress lets an authenticated user with EmailTemplate read permission resolve the owning entity (Contact/Lead/Account/User) without ACL checks, leaking all field values and bypassing read: own/...

CVE-2026-41141 EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...

EUVD-2026-32947

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...

CVE-2026-41160

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...

CVE-2026-41160

CVE-2026-41160 describes a Broken Access Control (IDOR) in EspoCRM prior to 9.3.5 where low-privilege users could pin notes without proper edit permissions due to a write-first, authorize-later flaw in the POST /api/v1/Note/{id}/pin path. The root cause is in application/Espo/Tools/Stream/Api/Pos...

EUVD-2026-32946

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...

CVE-2026-41160 EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...

CVE-2026-41160 EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw Broken Access Control in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary notes without having the required edit permissions for the parent object. Due to a "write first,...