EUVD-2026-5350

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication

Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7...

Race Condition

Overview @modelcontextprotocol/sdk is a Model Context Protocol implementation for TypeScript Affected versions of this package are vulnerable to Race Condition via the reuse of a single McpServer or Server instance and transport across multiple concurrent client connections. An attacker can acces...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in PyJWT-2.10.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-45768 DESCRIPTION: pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the...

CVE-2025-14740

Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer's handling of the C:\ProgramData\DockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1...

MAL-2026-725 Malicious code in json-mapping-source (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 093c061d05775b657e0d7cd8c3473c81e17667c9f400d38dd2e95db3541bc622 The package json-mapping-source was found to contain malicious code. Source: ghsa-malware...

Malicious code in json-mapping-source (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 093c061d05775b657e0d7cd8c3473c81e17667c9f400d38dd2e95db3541bc622 The package json-mapping-source was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview json-mapping-source is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

PT-2026-6350

Summary Cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. Impact Who is affected: Any MCP server deployment using the TypeScript SDK where a sing...

jsonwebtoken 安全漏洞

jsonwebtoken is an implementation of a JSON Web Token developed by Auth0 as open source. Versions of jsonwebtoken prior to 10.3.0 contained a security vulnerability. This vulnerability stemmed from a declaration verification logic that had type confusion issues, which could lead to bypassing...

NVIDIA Triton Inference Server EVBufferToJson Uncaught Exception Denial-of-Service Vulnerability

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of NVIDIA Triton Inference Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the EVBufferToJson method. The issue results from the lack ...

Devtron 安全漏洞

Devtron is an open-source Kubernetes cloud-native tool integration platform developed by Devtron. Versions of Devtron 2.0.0 and earlier contained security vulnerabilities. These vulnerabilities were caused by improper access control in the Attributes API interface, which could lead to the...

PT-2026-6657

Name of the Vulnerable Software and Affected Versions EPyT-Flow versions prior to 0.16.1 Description EPyT-Flow is a Python package used for generating hydraulic and water quality scenario data for water distribution networks. The REST API parses attacker-controlled JSON request bodies using a...

PT-2026-6317

Name of the Vulnerable Software and Affected Versions Devtron versions prior to 2.0.0 Description Devtron is a tool integration platform for Kubernetes. A flaw exists in the Attributes API interface that allows authenticated users to obtain the global API Token signing key by accessing the...

GHSA-H395-GR6Q-CPJC jsonwebtoken has Type Confusion that leads to potential authorization bypass

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...

Use of Hard-coded Credentials

Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the jwt-helper.js when verifying JWT tokens. An attacker can gain unauthorized administrative access by forging valid tokens...

CVE-2025-69971

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

EUVD-2025-206717

FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access...

PT-2026-6431

Summary: It has been discovered that there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim such as nbf or exp is provided with an incorrect JSON type Like a String instead of a Number, the library’s internal parsing mechanism...