Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

EUVD-2026-37946

Missing authentication for critical function in M365 Copilot allows an unauthorized attacker to disclose information over a network...

CVE-2026-47633

Exposure of sensitive information to an unauthorized actor in Cost Management Interactive Experiences allows an unauthorized attacker to disclose information over a network...

CVE-2026-49257 mcp-pinot: Unauthenticated tool invocation via default oauth_enabled=False + host 0.0.0.0 bind

mcp-pinot is a Python-based Model Context Protocol MCP server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 with no authentication enabled. All MCP tools, including SQL query execution, schema creation, and...

AVer PTC cameras

ADVISORY SUMMARY Successful exploitation of this vulnerability could allow arbitrary code execution. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Minimize network exposure for all control system devices and/or...

CVE-2026-35309

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware component: Centralized Third Party Jars. Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via...

GHSA-G8MR-85JM-7XHM Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE

Summary Vitest Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the Vitest browser WebSocket RPC. CDP is not gated by browser.api.allowWrite, browser.api.allowExec, api.allowWrite, or api.allowExec. As a result, disabling Browser Mode write and exec...

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal due to improper checks for file system paths on Windows platforms in isFileLoadingAllowed function. An attacker can obtain sensitive file contents by...

PT-2026-49576

Name of the Vulnerable Software and Affected Versions Vitest affected versions not specified Description Browser Mode exposes a cdp API that forwards raw Chrome DevTools Protocol CDP methods over the browser WebSocket RPC. This API is not restricted by the browser.api.allowWrite,...

CVE-2026-49993

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack /...

CVE-2026-45670 Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack /...

CVE-2026-42908

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network...

Fission 安全漏洞

Fission is an open-source function deployment framework based on Kubernetes. Versions of Fission prior to 1.24.0 contain security vulnerabilities. These vulnerabilities arise from the exposure of spec.runtime.podSpec and spec.builder.podSpec in the Environment CRD during merging, without filterin...

EUVD-2026-35537

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network...

CVE-2026-44822

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network...

CVE-2026-42908

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network...

CVE-2026-42835

Improper neutralization of special elements in output used by a downstream component 'injection' in Microsoft Teams for Android allows an authorized attacker to disclose information over a network...

EUVD-2026-35597

Out-of-bounds read in Windows RDP allows an unauthorized attacker to disclose information over a network...

CVE-2026-45503

CVE-2026-45503 is an SSRF vulnerability in Microsoft Exchange Server that could allow an authorized attacker to disclose information over a network. The provided documents cite CVSSv3.1 base metrics: 8.1 (High), with NETWORK attack vector, LOW attack complexity, Privileges Required: LOW, no user ...

Microsoft Teams for Android Information Disclosure Vulnerability

Improper neutralization of special elements in output used by a downstream component 'injection' in Microsoft Teams for Android allows an authorized attacker to disclose information over a network...