CVE-2026-8077 Weak credentials vulnerability in the CashDro 3 web administration panel

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...

exim: Fix of CVE-2026-40685

CVE-2026-40685: fix OOB heap write in dewrap during JSON expansion...

CLSA-2026-1778147777 exim: Fix of CVE-2026-40685

CVE-2026-40685: fix OOB heap write in dewrap during JSON expansion...

CVE-2024-46508

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed by setting YETIAUTHSECRETKEY to a value other than SECRET...

EUVD-2026-28462

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

Nuclei 访问控制错误漏洞

Nuclei is a fast-customizable vulnerability scanner based on simple YAML, open-sourced by ProjectDiscovery. In versions 3.0.0 to 3.8.0 of Nuclei, there was an access control vulnerability. This vulnerability stemmed from the JavaScript protocol’s runtime feature, which allowed reading of local.js...

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

CVE-2026-29975

CVE-2026-29975 affects lwjson 1.8.1. The vulnerability is in the streaming JSON parser (lwjson_stream.c): end-of-string detection incorrectly checks only the immediately preceding character for escapes, instead of counting consecutive backslashes. This can cause valid JSON strings ending with an ...

PT-2026-39263

Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.7 Description The public catalogue UI served at the 'GET /' endpoint is subject to stored cross-site scripting. This occurs via the server.websiteUrl field of published server.json files. The server-side...

PT-2026-39144

Name of the Vulnerable Software and Affected Versions lwjson version 1.8.1 Description Improper input validation in the streaming JSON parser lwjson stream.c occurs because the end-of-string detection logic incorrectly identifies escaped quote characters. The system only checks the immediately...

CVE-2024-46508

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed by setting YETIAUTHSECRETKEY to a value other than SECRET...

CVE-2024-46508

CVE-2024-46508 affects yeti-platform yeti before 2.1.12. The issue allows an attacker to generate valid JWT tokens if YETI_AUTH_SECRET_KEY remains at the default SECRET. CVSS v3.1 base score 7.5 (High) with Network attack vector and no privileges required. Root cause: secret key used for JWT sign...

CashDro 安全漏洞

CashDro is an intelligent device system developed by CashDro Corporation, designed for automated management of cash receipts and change dispensing at stores. Version 3.24.01.00.26 of CashDro contains a security vulnerability. This vulnerability stems from the lack of authorization control in the...

Yeti Platform 信任管理问题漏洞

Yeti Platform is an open-source daily threat intelligence platform developed by Yeti Platform. Versions of Yeti Platform prior to 2.1.12 had a trust management vulnerability. This vulnerability occurred because allowing attackers to generate valid JWT tokens occurred without changing the...

n8n-MCP 日志信息泄露漏洞

n8n-MCP is a model context protocol server developed by Romuald Członkowski, an individual developer. Versions of n8n-MCP prior to 2.47.11 contained a vulnerability related to log information leakage. This vulnerability occurred when POST /mcp requests under HTTP transmission mode wrote metadata...

PT-2026-39290

Summary MikroORM's identifier-quoting helper Platform.quoteIdentifier and the postgres/mssql overrides and its JSON-path emitters Platform.getSearchJsonPropertyKey, quoteJsonKey did not properly escape characters that delimit the SQL identifier or string-literal context they emit into. When...

PT-2026-39193

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions prior to 9560 Description An issue in the '/api/v1/report/summary/type' API endpoint allows authenticated users to perform local file inclusion, enabling the reading of arbitrary .json files on the system. Thi...

AstrBot 安全漏洞

AstrBot is an open-source multi-platform LLM chatbot and development framework created by AstrBot. Version 3.5.15 of AstrBot contains a security vulnerability, which stems from the use of hard-coded private keys for signing JWTs...

CVE-2025-55449

AstrBotDevs AstrBot 3.5.15 has AdvancedSystemforTextResponseandBotOperationsTool as the hardcoded private key used to sign a JWT...

CVE-2024-46508

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed by setting YETIAUTHSECRETKEY to a value other than SECRET...