CVE-2026-27626

CVE-2026-27626 affects OliveTin up to 3000.10.0, where shell mode allows arbitrary OS commands. Two vectors exist: (1) authenticated user exploits password-typed argument despite checkShellArgumentSafety, (2) unauthenticated webhook-triggered JSON values bypass safety and reach sh -c. Both lead t...

PT-2026-21844

Name of the Vulnerable Software and Affected Versions OliveTin versions up to and including 3000.10.0 Description OliveTin, a tool designed to simplify shell command execution, has flaws in its shell command execution mechanism. The checkShellArgumentSafety function does not block the password...

PT-2026-22088

Name of the Vulnerable Software and Affected Versions Drupal Canvas versions prior to 1.1.1 Description A Server-Side Request Forgery SSRF issue exists in the Drupal Canvas module. The vulnerability is exposed when the hidden canvas ai submodule is enabled, typically through Drupal Recipes or...

Optimizations in Spring MVC

Spring Fruits Benchmark Abstract Benchmarks are tricky to do well, and the results are often hard to interpret. This analysis attempts to go beyond a simple headline number to explore how performance varies with data set size. The results show that while results might be disappointing for a given...

PT-2026-21965

Name of the Vulnerable Software and Affected Versions OpenSIPS versions 3.1 through 3.6.3 Description The software contains a SQL injection issue within the jwt db authorize function in the auth jwt module when a SQL database backend is used and db mode is enabled. The function incorporates a tag...

Cross-site Scripting (XSS)

Overview nicegui is a Create web-based user interfaces with Python. The nice way. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the runmethod function. An attacker can execute arbitrary JavaScript in the victim's browser by supplying crafted input as a method...

GHSA-78QV-3MPX-9CQQ NiceGUI vulnerable to XSS via Code Injection during client-side element function execution

Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...

NiceGUI vulnerable to XSS via Code Injection during client-side element function execution

Summary Several NiceGUI APIs that execute methods on client-side elements Element.runmethod, AgGrid.rungridmethod, EChart.runchartmethod, and others use an eval fallback in the JavaScript-side runMethod function. When user-controlled input is passed as the method name, an attacker can inject...

GHSA-4R4R-4JP4-WWF9 FUXA has JWT Authentication Bypass via HTTP Referer header spoofing

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

CVE-2026-27589 Caddy vulnerable to cross-origin config application via local admin API /load (caddy)

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...

Secure-auth-api

🔐 Secure Auth API — Built → Broken → Fixed A hands-on securit...

SUSE-SU-2026:0618-1 Security update for protobuf

This update for protobuf fixes the following issues:i - CVE-2026-0994: Fixed google.protobuf.Any recursion depth bypass in Python jsonformat.ParseDict bsc1257173...

MAL-2026-1017 Malicious code in json-mapping-srcs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1a4791659c68903f36ecfbf9da2e8af6dacdb98a4a525d5f104d43b07260cca The package json-mapping-srcs was found to contain malicious code. Source: ghsa-malware...

Malicious code in json-mapping-srcs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1a4791659c68903f36ecfbf9da2e8af6dacdb98a4a525d5f104d43b07260cca The package json-mapping-srcs was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview json-mapping-srcs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

EUVD-2026-7398

Pimcore is an Open Source Data & Experience Management Platform. In versions up to and including 11.5.14.1 and 12.3.2, the filter query parameter in the dependency listing endpoints is JSON-decoded and the value field is concatenated directly into RLIKE clauses without sanitization or parameteriz...

📄 Advanced JUNG Smart Visu Security Scanner

This is a multi-threaded security scanner for JUNG Smart Visu servers that detects reflected cross site scripting, header injection, open redirects, and JSON injection. It tests predefined endpoints with custom payloads, analyzes HTTP responses for vulnerabilities, and generates a detailed report...

python: protobuf: Protobuf: Denial of Service due to recursion depth bypass

A flaw was found in protobuf. A remote attacker can exploit this denial-of-service DoS vulnerability by supplying deeply nested google.protobuf.Any messages to the google.protobuf.jsonformat.ParseDict function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’...

python: protobuf: Protobuf: Denial of Service due to recursion depth bypass

A flaw was found in protobuf. A remote attacker can exploit this denial-of-service DoS vulnerability by supplying deeply nested google.protobuf.Any messages to the google.protobuf.jsonformat.ParseDict function. This bypasses the intended recursion depth limit, leading to the exhaustion of Python’...

langextract-poc

LangExtract POC - Arquitectura Hexagonal Sistema de extracció...