PT-2026-42207

Summary The SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553" — a Go http.Server.Addr of ":5553" listens on every interface. On...

Amazon Linux 2023 : python3.14, python3.14-devel, python3.14-freethreading (ALAS2023-2026-1674)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1674 advisory. The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handle...

GHSA-JXXR-4GWJ-5JF2

creationtimestamp| type| source ---|---|--- 2026-05-19 19:42:10+00:00| seen| https://gist.github.com/konard/d8a22725a8b00a188eb2098b18eaa766 2026-05-19 19:44:33+00:00| seen| https://gist.github.com/konard/beb604d0f86e740a59c10cc19fb9b50b 2026-05-19 20:19:30+00:00| seen|...

CVE-2026-36829

creationtimestamp| type| source ---|---|--- 2026-05-19 19:02:17+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mma3cp2l3s2k 2026-05-19 19:02:24+00:00| seen| https://bsky.app/profile/potato.software/post/3mma3cpz45z25 2026-05-19 21:02:48+00:00| seen|...

GHSA-9V4J-7G44-QCQW Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

Insecure Default Initialization of Resource

Overview Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the GenFileChangeEvents handler. An attacker can obtain continuous access to sensitive file and directory information by connecting to the SSE endpoint without authentication. Remediation...

Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

cpython: CPython: Logging Bypass in Legacy .pyc File Handling

A flaw was found in CPython. This vulnerability allows a local user with low privileges to bypass security auditing mechanisms. The issue occurs because the SourcelessFileLoader component, responsible for handling older Python compiled files .pyc, does not properly trigger system audit events. Th...

cpython: CPython: Logging Bypass in Legacy .pyc File Handling

A flaw was found in CPython. This vulnerability allows a local user with low privileges to bypass security auditing mechanisms. The issue occurs because the SourcelessFileLoader component, responsible for handling older Python compiled files .pyc, does not properly trigger system audit events. Th...

Incorrect Implementation of Authentication Algorithm

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks ...

CVE-2026-45245

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthines...

CVE-2026-8757

A vulnerability was found in adenhq hive up to 0.11.0. This affects the function readeventstail of the file core/framework/server/routessessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has...

CVE-2026-45245 Summarize < 0.15.1 Unauthorized Daemon Request via Untrusted Events

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthines...

CVE-2026-45245

Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthines...

CVE-2026-43968

A flaw was found in cowlib. An Improper Neutralization of CRLF Sequences Carriage Return Line Feed Injection vulnerability allows a remote attacker to inject bare carriage return characters into Server-Sent Events SSE fields. This enables event splitting and injection of arbitrary event types and...

CERTFR-2026-ACT-022

creationtimestamp| type| source ---|---|--- 2026-05-18 11:39:08+00:00| seen| https://bsky.app/profile/cert-fr.bsky.social/post/3mm4s3dwvnz2n 2026-05-18 11:39:09+00:00| seen| https://social.numerique.gouv.fr/users/certfr/statuses/116595382450086436...

CVE-2026-8786

creationtimestamp| type| source ---|---|--- 2026-05-18 06:00:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mm475sogkr2f 2026-05-18 06:00:48+00:00| seen| https://infosec.exchange/users/offseq/statuses/116594050785807637 2026-05-18 06:27:11+00:00| seen|...

Summarize 代码问题漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.15.1 have code vulnerabilities. These vulnerabilities stem from issues with the hover summary feature, which may allow malicious pages to assign synthetic mouse hover events on...

PT-2026-41724

Name of the Vulnerable Software and Affected Versions Summarize versions prior to 0.15.1 Description The hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links. This causes the extension to make authenticated daemon requests using stored...

CVE-2026-8757

A vulnerability was found in adenhq hive up to 0.11.0. This affects the function readeventstail of the file core/framework/server/routessessions.py of the component Delete Request Handler. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has...