PT-2026-45872

Name of the Vulnerable Software and Affected Versions QloApps versions prior to 1.7.0 commit 64e9722 Description The software uses a weak cryptographic algorithm for password hashing. Specifically, the encrypt function in classes/Tools.php utilizes MD5, concatenating a static cookie key with the...

CVE-2026-42033

A flaw was found in Axios, an HTTP client library. This vulnerability allows an attacker to exploit a prototype pollution issue if another part of the application has already polluted the Object.prototype. By doing so, the attacker can intercept and modify JSON responses or take control of the HT...

[Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk

In the rapid evolution of the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security leaders: Identity programs are maturing, yet the risk is actually increasing. According to new research from the Ponemon Institute , hundreds of applications within the typical enterprise...

cveClient 安全漏洞

cveClient is an open-source browser-based CVE record management client developed by the CERT Coordination Center CERT/CC. cveClient has a security vulnerability, which stems from the unprotected storage of API keys in the browser client, potentially leading to credential exposure...

PT-2026-28263

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept...

Public Google API keys can be used to expose Gemini AI data

Google Maps/Cloud API Application Programming Interface keys that used to be safe to publish can now, in many cases, be used as real Gemini AI credentials. This means that any key sitting in public JavaScript or application code may now let attackers connect to Gemini through its API, access data...

PT-2026-4739

Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious...

CVE-2025-68719

KAYSUS KS-WR3600 routers with firmware 1.0.5.9.1 mishandle configuration management. Once any user is logged in and maintains an active session, an attacker can directly query the backup endpoint and download a full configuration archive. This archive contains sensitive files such as /etc/shadow,...

CVE-2025-62330 HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information

HCL DevOps Deploy is susceptible to a cleartext transmission of sensitive information because the HTTP port remains accessible and does not redirect to HTTPS as intended. As a result, an attacker with network access could intercept or modify user credentials and session-related data via passive...

CVE-2025-13970 OpenPLC_V3 Cross-Site Request Forgery

OpenPLCV3 is vulnerable to a cross-site request forgery CSRF attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settin...

CVE-2025-65844

EverShop 2.0.1 allows a remote unauthenticated attacker to upload arbitrary files and create directories via the /api/images endpoint. The endpoint is accessible without authentication by default, and server-side validation of uploaded files is insufficient. This can be abused to upload arbitrary...

GHSA-X39M-3393-3QP4 Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)

Summary Unverified Email Change - Email as part of Credential / Unverified Account Recovery Channel Change The application allows changing the account email address used as a login identifier and/or password recovery address without verifying the requester’s authority to make that change no...

EUVD-2025-56967

Malicious code in tuti-gembus86-sluey npm...

Malicious code in mobile_tern_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44f4edf1a0872bd59ba3902b80923f6c3d565d8181160c8af1e8f07ecd3e4264 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2020-20574

Malware in sbrugna...

EUVD-2023-30910

Malicious code in bioql PyPI...

MAL-2025-43875 Malicious code in commitlint-query-loop-gulp (npm)

The package commitlint-query-loop-gulp was found to contain malicious code...

PT-2025-34658 · Dasan · Dasan Gpon Onu H660Wm

Name of the Vulnerable Software and Affected Versions: DASAN GPON ONU H660WM versions H660WMR210825 Description: The DASAN GPON ONU H660WM device contains insecure default credentials in the modem’s control panel. Recommendations: Change the default credentials of the modem’s control panel...

PT-2025-28278 · Sap Se · Sap Netweaver App Server Abap & Abap Platform

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code HMAC credential, extracted from a system missing specific security patches, is reused in a repla...

CVE-2024-51553

Predictable filename vulnerabilities in ASPECT may expose sensitive information to a potential attacker if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3...