CVE-2026-36608

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP 192.168.1.1 or localhost 127.0.0.1 as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the intern...

CVE-2026-36608

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP 192.168.1.1 or localhost 127.0.0.1 as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the intern...

PCTCore64.sys Windows kernel driver contains missing access control vulnerability

Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \.\PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL I/O Control commands. In a Bring Your Own Vulnerable Driver...

CVE-2026-44830

Nocturne Memory is a lightweight, rollbackable, and visual Long-Term Memory Server for MCP Agents. Prior to 2.4.1, when APITOKEN is unset or empty, the BearerTokenAuthMiddleware bypasses authentication for all HTTP requests. Combined with the default 0.0.0.0 host binding and CORS alloworigins="",...

CVE-2026-2264

A vulnerability in the Google Cloud Apigee SetIntegrationRequest policy allowed remote attackers to perform Server-Side Request Forgery SSRF and exfiltrate service account access tokens. For successful exploitation, an administrator must initially establish an insecure configuration of the API...

CVE-2026-37978

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID userId parameter. This vulnerability allows for cross-role personally identifiable information PII leakage,...

CVE-2026-44413

JetBrains TeamCity is affected by CVE-2026-44413, with the description: In JetBrains TeamCity before 2026.1, authenticated users could expose the server API to unauthorised access. The NVD entries corroborate this and assign a CVSS v3.1 base score of 8.2 (HIGH) with NETWORK attack vector, LOW int...

Wagtail 安全漏洞

Wagtail is an open-source content management system CMS developed by Wagtail. Versions of Wagtail prior to 7.0.7, 7.3.2, and 7.4 contained security vulnerabilities. These vulnerabilities stemmed from the document and image APIs incorrectly listing items within private collections, potentially...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the nnef-oam route group due to missing inbound authentication and authorization checks. An attacker can gain unauthorized access to administrative operations by sending unauthenticated requests to the exposed...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the nnef-oam route group due to missing inbound authentication and authorization checks. An attacker can gain unauthorized access to administrative operations by sending unauthenticated requests to the exposed...

EUVD-2026-26048

An improper access control vulnerability exists in the Cisco Intersight Device Connector for Nutanix Prism Central. The service exposes an API passthrough endpoint on TCP port 7373 that is accessible within the network scope of the deployment environment without authentication. An unauthenticated...

CVE-2026-40584 RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

BIT-AIRFLOW-2026-30912 Apache Airflow: Exposing stack trace in case of constraint error

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

CVE-2026-41036

This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device. Successful exploitation of this...

PT-2026-34052

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

CVE-2026-30912

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

CVE-2026-30912

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. The...

PT-2026-33593

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description SQL errors cause the API to expose exception and stack trace information, even when the api/expose stack traces setting is disabled. This behavior can leak sensitive information to a potential...

PT-2026-33071

Name of the Vulnerable Software and Affected Versions LangChain-ChatChat version 0.3.1 Description An issue exists in the MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface to configure an MCP STDIO server using...