F5 Networks BIG-IP : BIG-IP httpd access control vulnerability (K000156604)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.1 / 17.5.1.4 / 21.0.0. It is, therefore, affected by a vulnerability as referenced in the K000156604 advisory. When configured, IP-based access restrictions forhttpddo not cover all endpoints, which may allow...

MAL-2026-4217 Malicious code in polymarket-trading-cli (npm)

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...

MAL-2026-4214 Malicious code in polymarket-terminal (npm)

A coordinated supply-chain attack comprising 9 npm packages published by maintainer polymarketdev GitHub actor texsellix, repo texsellix/polymarket-trading-bot within a 2-minute window on 2026-05-20T23:30Z–23:32Z. All packages masquerade as legitimate Polymarket CLOB trading tools while...

Malicious code in defi-env-auditor (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

CVE-2026-9141

Taiko AG1000-01A SMS Alert Gateway (Rev 7.3 and Rev 8) contains an authentication bypass in its embedded web configuration interface, allowing unauthenticated network attackers to directly request internal pages (e.g., index.zhtml, point.zhtml, log.shtml) and gain full administrative read/write a...

MAL-2026-4430 Malicious code in @saidddddddddd/somethingelse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10c6c962a47a7992e9b415754433ca28aec0b867273e477fdc76acc96688554d Package ships multiple multi-file randomly-named JavaScript bundles at the tarball root dist/0wj8nina9p.js, dist/g2gldlcg6a.js, dist/k72k75nqjc.js,...

EUVD-2026-31133

InfoScale CmdServer before 7.4.2 mishandles access control...

Malicious code in vlifegram (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8771013473b84f29159a80ec15ce3e9897bc69908ddfa2438845811dd276d87c VLifeGram is published under its own name on PyPI but installs into the pyrogram/ namespace and ships a Pyrogram fork at version 2.1.2.4. It adds an...

MAL-2026-4773 Malicious code in vlifegram (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8771013473b84f29159a80ec15ce3e9897bc69908ddfa2438845811dd276d87c VLifeGram is published under its own name on PyPI but installs into the pyrogram/ namespace and ships a Pyrogram fork at version 2.1.2.4. It adds an...

CVE-2026-44926

InfoScale CmdServer before 7.4.2 mishandles access control...

MAL-2026-4186 Malicious code in @doctolib-apps/native-personalized-services (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ac2da4b8de2ea081f8fe7b84ef6182ab363616dc0515aaa03368bcba4a4b8e76 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2026-20238 Improper Access Control through Role Inheritance in Splunk AI Toolkit app

In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through srchFilter configurations on custom roles.The app contains an authorize.conf configuration file with a srchFilter entry that...

CVE-2026-4293

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser...

phpMyFAQ: IDOR Account Takeover

Summary An Insecure Direct Object Reference IDOR vulnerability in phpMyFAQ's Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts userId=1, without authorization verification. An attacker with a low-privilege admin account can...

CLSA-2026-1779290839 giflib: Fix of CVE-2026-26740

CVE-2026-26740: fix heap OOB write when rewriting truncated GCE in EGifGCBToSavedExtension...

CVE-2026-4293

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser...

CVE-2026-4293 Kieback & Peter DDC Building Controllers Cross-site Scripting

The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser...

CVE-2026-4293

The CVE-2026-4293 entry covers cross-site scripting in Kieback & Peter DDC Building Controllers. Affected component: DDC building controllers; vulnerability allows attacker-supplied scripting to run in the victim’s browser, enabling browser control. CVSS 3.1 metrics show Network attack vector, no...

CVE-2026-21836

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data...

kernel: Linux kernel: Use-after-free in traffic control (act_ct) may lead to denial of service or privilege escalation

A flaw was found in the Linux kernel. A use-after-free vulnerability exists in the traffic control actct path when it is incorrectly configured with non-ingress egress qdiscs queueing disciplines. This can allow a local user with specific privileges to trigger a kernel crash, leading to a denial ...