149 matches found
CVE-2026-59720
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...
CVE-2026-59720 Hoppscotch: Insecure Default Configuration Allows Public Exposure of Private Collection Data via Mock Server
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...
CVE-2026-59720
Hoppscotch’s Mock API exposes private collection data due to a desync: mock-server.service.ts does not persist the isPublic input, while schema.prisma defaults isPublic to true, making mock servers linked to private collections publicly accessible without authentication. The vulnerability affects...
PYSEC-2026-291 Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Summary In backpropagate = 1.1.0, the optional Reflex web UI pip install backpropagateui, launched via backprop ui exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing...
GHSA-F65R-H4G3-3H9H Backpropagate: backprop ui --auth and backprop ui --share do not enforce authentication
Summary In backpropagate = 1.1.0, the optional Reflex web UI pip install backpropagateui, launched via backprop ui exposes a training control plane: dataset upload, model load, training start/stop, multi-run orchestration, GGUF export, and HuggingFace Hub push. The CLI accepts two operator-facing...
CVE-2026-44622
Charging station authentication identifiers are publicly accessible via web-based mapping platforms...
CVE-2026-7542
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions 7.0 to 7.0.10. This is due to three compounding design flaws: 1 the plugin leaks a valid backend AJAX nonce revslideractions to all authenticated users including Subscribers via the adminfoote...
CVE-2026-49193
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet...
CVE-2026-49193
Technical details about CVE-2026-49193 are not publicly available in the provided documents; monitor for updates from official sources.
CVE-2026-49193
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet...
PT-2026-46151
Overly permissive configuration settings on cloud storage containers expose active telemetry information publicly to the internet...
CVE-2026-9508 Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar
Incorrect permission settings on a critical resource in Suprema BioStar 2 versions 2.9.3 through 2.9.11 that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly...
CVE-2026-9508
Incorrect permission settings on a critical resource in Suprema BioStar 2 versions 2.9.3 through 2.9.11 that allow backup files to be publicly exposed when the administrator configures their path within the NGINX webroot. This vulnerability allows an attacker with network access to directly...
CVE-2026-7482
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and...
EUVD-2026-26949
Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and...
CVE-2025-41118 Sensitive COS `SecretKey` exposed in plaintext via configuration API due to missing type protection
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage COS. If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secretkey configuration value from the...
EUVD-2026-22941
LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. A remote attacker can access the publicly exposed MCP management interface and configure an MCP STDIO server with attacker-controlled commands and arguments. When...
CVE-2026-4057 Download Manager <= 3.3.51 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the makeMediaPublic and makeMediaPrivate functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for editposts capability...
CVE-2026-5970 FoundationAgents MetaGPT HumanEvalBenchmark/MBPPBenchmark check_solution code injection
A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function checksolution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. Th...
PocketMine-MP: LogDoS by large complex unknown property logging in clientData in LoginPacket
Impact Attackers can put large and/or complex structures as a value to an unknown property in the clientData JWT body in the Minecraft LoginPacket, causing the server to generate very long log messages. Additionally, the property name is logged without any length limitations or sanitization, whic...