CVE-2025-11500 Credentials exposure in tinycontrol devices

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off which is a default setting, an unauthenticated attacker on...

PT-2026-25661

Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication mechanisms - one solely for interface management and one for protecting all other server resources. When the latter is turned off which is a default setting, an unauthenticated attacker on...

PT-2026-25765

A vulnerability was found in Albert Sağlık Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected...

Authlib 加密问题漏洞

Authlib is an open-source library developed by Authlib, designed as a ultimate Python library for building OAuth and OpenID Connect servers. Versions of Authlib prior to 1.6.9 contained a security vulnerability related to encryption. This vulnerability stemmed from a cryptographic padding mechani...

EulerOS 2.0 SP11 : haproxy (EulerOS-SA-2026-1608)

According to the versions of the haproxy package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON...

Authlib 数据伪造问题漏洞

Authlib is an open-source library developed by Authlib, designed to build servers for OAuth and OpenID Connect. Versions of Authlib prior to 1.6.9 contained a data manipulation vulnerability, caused by header injection in the JWS implementation. This vulnerability could allow unauthenticated...

Malicious code in transform-json-strings (npm)

The package 'transform-json-strings' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

MAL-2026-1569 Malicious code in transform-json-strings (npm)

The package 'transform-json-strings' is part of the PhantomRaven supply chain attack campaign Wave 3. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

PT-2026-28436

Name of the Vulnerable Software and Affected Versions versions prior to 2026 Description The Delete function does not correctly validate offsets when processing malformed JSON input. This can result in a negative slice index and a runtime panic, potentially leading to a denial of service attack...

CVE-2026-4186 UEditor JSONP Callback controller.php cross site scripting

A vulnerability was determined in UEditor up to 1.4.3.2. This issue affects some unknown processing of the file php/controller.php?action=uploadimage of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated...

MAL-2026-1432 Malicious code in dgl-cu117 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4f9fcfe9f469df3c132eca5b08bac4a30c146c7b1305f506fd900b1e78581b0d During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in dgl-cu117 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4f9fcfe9f469df3c132eca5b08bac4a30c146c7b1305f506fd900b1e78581b0d During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in python-anchor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 914b16cbc506c57a77eeed5ae14955bcf3b58fa49da92c2686b56a1d531c5268 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in my-super-lib (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 58a8ef40f042f56d80d455abeb03442516dfd8ed81f462d9da071089ff82f31e During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Malicious code in ariadne-federation (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 3eb5492b220fedd5fedb29045328e749d659aea6e38ed743f7aace2d623d07d2 During import, package decrypts and runs a malicious executable. The executable is hidden in an encoded and xored form in the JSON resource file. This is a...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: perl-JSON-XS (UTSA-2026-006133)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006133 advisory. JSON::XS before version 4.04 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other...

EUVD-2026-11748

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret...

Centrifugo's InsecureSkipTokenSignatureVerify flag silently disables JWT verification with no warning

Summary Centrifugo supports a configuration flag insecureskiptokensignatureverify that completely disables JWT signature verification. When enabled, Centrifugo accepts any JWT token regardless of signature validity — including tokens signed with wrong keys, random signatures, or no signature at...

EUVD-2026-11728

PyJWT accepts unknown crit header extensions...

PyJWT accepts unknown `crit` header extensions

Summary PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This is t...