CVE-2026-36610

Mercusys AC12G EU V1 with firmware AC12GEUV1200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials...

PT-2026-45998

Mercusys AC12G EU V1 with firmware AC12GEU V1 200909 transmits DDNS credentials over plaintext HTTP with only Base64 encoding. The firmware contains no TLS implementation, allowing man-in-the-middle interception of DDNS service credentials...

MAL-2026-4753 Malicious code in gt-tester-exp-profiler-exp-00000017 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f1490f970bd52c80c89f33029f9e875f1fb595014621d50e0ce87a167d1cd348 setup.py installs a site-wide.pth file gttesterexpprofilerexp00000017probe.pth into site-packages that imports the package's probe module and calls...

Malicious code in rimraf-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a59d88d733415216903578b3c3806d76405a23a7cca56ee355eb6725e4e930d4 [email protected] impersonates the widely-installed rimraf package index.js is a dummy stub that internally identifies itself as 'lodash-js — Just a...

MAL-2026-3747 Malicious code in @aiscene/aiserver (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 542fdb1c23b52adda0ed5164b65c9768aef7a5edd45473f9cd3ceab3065b1bb3 When the installed aiserver tool is started via its bin, npm start, or loading dist/index.js, it registers the host with a hardcoded remote controlle...

EUVD-2026-26714

Bandit trusts client-supplied URI scheme on plaintext connections...

EEF-CVE-2026-39807 Client-supplied URI scheme trusted without transport verification in bandit

Summary Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determinescheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring...

CVE-2026-39807 Client-supplied URI scheme trusted without transport verification in bandit

Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determinescheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the...

EUVD-2026-25075

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

CVE-2026-41468

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

CVE-2026-41468 Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection

Beghelli Sicuro24 SicuroWeb embeds AngularJS 1.5.2, an end-of-life component containing known sandbox escape primitives. When combined with template injection present in the same application, these primitives allow attackers to escape the AngularJS sandbox and achieve arbitrary JavaScript executi...

CVE-2026-31924 Apache APISIX: Plugin tencent-cloud-cls log export uses plaintext HTTP

Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX. tencent-cloud-cls log export uses plaintext HTTP This issue affects Apache APISIX: from 2.99.0 through 3.15.0. Users are recommended to upgrade to version 3.16.0, which fixes the issue...

Apache Apisix 安全漏洞

Apache Apisix is a cloud-native microservices API gateway service provided by the Apache Foundation in the United States. This software is implemented based on OpenResty and etcd, featuring dynamic routing and hot loading of plugins. It is suitable for API management within microservice systems...

CVE-2026-32309 Cryptomator: Hub unlocking accepts plaintext HTTP and unvalidated endpoint schemes

Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, the Hub-based unlock flow explicitly supports hub+http and consumes Hub endpoints from vault metadata without enforcing HTTPS. As a result, a vault configuration can drive OAuth and key-loading traffic over...

CVE-2026-32034 OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP

OpenClaw versions prior to 2026.2.21 contain an authentication bypass vulnerability in the Control UI when allowInsecureAuth is explicitly enabled and the gateway is exposed over plaintext HTTP, allowing attackers to bypass device identity and pairing verification. An attacker with leaked or...

OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

Description In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required a...

GHSA-3CVX-236H-M9FJ OpenClaw has an opt-in insecure Control UI auth over plaintext HTTP could allow privileged access

Description In affected releases, when an operator explicitly enabled gateway.controlUi.allowInsecureAuth: true and exposed the gateway over plaintext HTTP, Control UI authentication could permit privileged operator access without the intended device identity + pairing guarantees. This required a...

EUVD-2012-4855

Malware in sbrugna...

EUVD-2018-0794

Malware in sbrugna...

CVE-2022-2338

Softing Secure Integration Server V1.22 is vulnerable to authentication bypass via a machine-in-the-middle attack. The default the administration interface is accessible via plaintext HTTP protocol, facilitating the attack. The HTTP request may contain the session cookie in the request, which may...