PT-2026-39715

Name of the Vulnerable Software and Affected Versions Inbox Zero versions prior to 2.29.3 Description The cleaner email stream endpoint used a shared Redis subscription listener. This configuration could result in thread events for one authenticated account being delivered to another authenticate...

CVE-2026-42294 Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in Webhook Interceptor

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...

CVE-2026-42294

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request body into memory before authenticating the request or verifying its signature. This occurs on the...

SUSE CVE-2026-43265

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Ignore -EBUSY when checking nested events from vcpublock Ignore -EBUSY when checking nested events after exiting a blocking state while L2 is active, as exiting to userspace will generate a spurious userspace exit,...

Permissive Cross-domain Policy with Untrusted Domains

Overview @yoda.digital/gitlab-mcp-server is a GitLab MCP Server - A Model Context Protocol server for GitLab integration Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the SSE HTTP transport when USESSE=true is set, which lacks...

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through overly broad `load()` allowlists

LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other application-controlled payloads using overly broad object allowlists. These paths may call load with allowedobjects="all". This does not enable arbitrary Python object deserialization, but it does allow...

CVE-2026-41432 New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without...

GHSA-M9G3-3G99-MHPX eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

NPM: eventsource-encoder vulnerable to SSE event injection via unsanitized event and id fields vulnerability discovered by ? in WordPress Npm eventsource-encoder versions = 1.0.1...

eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields

Summary eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Events line terminators \n, \r, or \r\n and thereby forge additional SSE fields or entire messages on the...

Incorrect Authorization

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Incorrect Authorization in the ydoc:document:update handler. An attacker can inject, modify, or delete content in collaborative documents by emitting crafted Socket.IO events after joining a document room wit...

CVE-2026-43373

The CVE-2026-43373 entry describes a Linux kernel vulnerability in the net: ncsi subsystem. Early return paths in NCSI RX and AEN handlers fail to release received skbuffers (skb) when processing invalid AEN packets or failing to resolve NCSI devices/handlers, leading to a memory leak. The impact...

CVE-2025-0305

creationtimestamp| type| source ---|---|--- 2026-05-08 07:32:00+00:00| seen| https://bsky.app/profile/dusk-services.bsky.social/post/3mld7mb7uwa2u 2026-05-08 07:32:00+00:00| seen| https://bsky.app/profile/dusk-services.bsky.social/post/3mld7madfxm2a 2026-05-08 07:32:01+00:00| seen|...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from an issue in the NCSI RX and AEN processing routines. This issue causes the received skb packets t...

PT-2026-39241

Name of the Vulnerable Software and Affected Versions eventsource-encoder versions prior to 1.0.2 Description The software fails to sanitize the event and id fields of an EventSourceMessage before serialization in the encodeMessage function. An attacker who controls these fields can inject...

CVE-2026-34327

creationtimestamp| type| source ---|---|--- 2026-05-07 23:07:43+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mlcdgizqaa2l 2026-05-07 23:39:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlcf7ydo2h2e 2026-05-09 01:07:07+00:00| seen|...

CVE-2026-33823

Technical details (affected product/component, root cause, exploit specifics, and remediation) are not publicly available in the provided documents. Monitor for updates from the listed sources (NVD, CVE List, MSRC, Attackerkb).

CVE-2026-33823 Microsoft Team Events Portal Information Disclosure Vulnerability

...

CVE-2026-33823 Microsoft Team Events Portal Information Disclosure Vulnerability

...

CVE-2025-14341

creationtimestamp| type| source ---|---|--- 2026-05-07 16:54:03+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mlbokdfb3v2e 2026-05-07 17:09:58+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mlbpgsdmla2z...