CVE-2026-48245

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

CVE-2026-48244 Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in settings.inc.php

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google...

MAL-2026-4462 Malicious code in @vino.tian/vibe-kanban (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f1533bb7e55b1bcd10291aa9f19e2a5cbe5755a7a6a7343d38fbd3ff8064a1f This package is published as @vino.tian/vibe-kanban and copies its README, name, and feature description from BloopAI's legitimate vibe-kanban projec...

MAL-2026-4510 Malicious code in cerebrum-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e0ac38481a69f23f9170b098fcd48cd72b82edb969bdd44eb3aa5cc377a13a0d On npm install, the package's postinstall hook runs setup.js, which decodes an embedded base64 string into a tar.gz file at ../../../tempbundle.tar.g...

Cockpit 359 - RCE

Exploit Title: Cockpit 359 - RCE Date: 18-04-2026 Exploit Author: @intx0x80 Vendor Homepage: https://cockpit-project.org/ Software Link: https://github.com/cockpit-project/cockpit Version: 327-359 Tested on: Debain CVE : CVE-2026-4631 import base64 import argparse import requests import urllib3...

PT-2026-45158

Name of the Vulnerable Software and Affected Versions Twig affected versions not specified Description SandboxNodeVisitor fails to fully enforce SecurityPolicy::checkMethodAllowed for implicit toString calls because the set of wrapped AST nodes in CheckToStringNode is incomplete. This allows a...

PT-2026-42592

Content removed...

PT-2026-42523

Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud...

📄 Cockpit 359 Remote Code Execution

Cockpit versions 357 through 359 suffer from a remote code execution vulnerability. Exploit Title: Cockpit 359 - RCE Date: 18-04-2026 Exploit Author: @intx0x80 Vendor Homepage: https://cockpit-project.org/ Software Link: https://github.com/cockpit-project/cockpit Version: 327-359 Tested on: Debai...

CVE-2026-40102

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

GO-2026-4952 Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api

Vikunja vulnerable to Privilege Escalation via Project Reparenting in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

MAL-2026-4640 Malicious code in pino-formatter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6318f85af0cd86060232fbc606115e300e1022220ffda545f9e6c6157ef6f55 Package masquerades as a pino-pretty-style logger but performs multiple installer-harming actions when required. On import, dist/logger.js: 1 on Linu...

Astra Linux - уязвимость в linux, linux-5.10

In the Linux kernel, the following vulnerability has been resolved: hwmon: w83791d Fixed NULL pointer dereferencing by removing unnecessary structure fields. If the driver reads a value that is sufficient for the condition: val & 0x08 && !val & 0x80 && val & 0x7 == val 4 & 0x7 NULL pointer...

Astra Linux - уязвимость в vim

Out-of-bounds read in the GitHub repository for Vim before version 9.0.0212...

MAL-2026-4446 Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

PT-2026-42385

Kopia: RCE via SSH ProxyCommand Injection in github.com/kopia/kopia...

PT-2026-42369

Nuclei: Local File Read via require Module Loader Bypass in github.com/projectdiscovery/nuclei...

PT-2026-42178

CVE-2026-47237 – Overly Permissive Istio Permissions Allow Kubeflow Authorization Token Stealing https://t.co/NYDWRfbN4F...

PT-2026-42370

monetr: Server-side request forgery in Lunch Flow link creation and refresh in github.com/monetr/monetr...