CVE-2026-56255 Capgo - Denial of Service via Unlimited Demo App Creation

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

EUVD-2026-38365

Capgo before 12.128.2 contains a denial of service vulnerability in the POST /app/demo endpoint that allows authenticated users with org write permissions to create unlimited demo applications without rate limiting or quota enforcement. Attackers can repeatedly invoke this endpoint to generate...

CVE-2026-53522

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...

EUVD-2026-36601

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal...

PT-2026-49003

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.0.0 through 2.1.x Description The dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: "/api/v1/terminal" which triggers the createTerminal function, and "/api/v1/file" which...

Malicious code in rate-limits-flexible (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f51c182413a9d071e2e2109f7477ff0fb1b05fae4e5e98a46bb53e7d8b2d693b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5627 Malicious code in rate-limits-flexible (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f51c182413a9d071e2e2109f7477ff0fb1b05fae4e5e98a46bb53e7d8b2d693b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview rate-limits-flexible is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Versions of Flowise prior to 3.1.2 contained a security vulnerability. This vulnerability stemmed from the checkBasicAuth endpoint, which validated credentials in plaintext without rate limits,...

Yamcs security vulnerabilities

Yamcs is an open-source software framework developed by Yamcs. It is used for commanding and controlling spacecraft, satellites, payloads, ground stations, and ground equipment. YAMCS has a security vulnerability that stems from the lack of rate limits...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the OCI validator process when upstream rate limits are encountered. An attacker can bypass intended ownership restrictions by exploiting the lack of proper checks during rate-limited conditions. Remediation...

GO-2026-5008 MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry

MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry...

PT-2026-42384

MCP Registry: OCI validator skips ownership check on upstream rate limits in github.com/modelcontextprotocol/registry...

MCP Registry: OCI validator skips ownership check on upstream rate limits

OCI ownership validation fails open on upstream rate limits, allowing attacker to claim arbitrary public OCI images under their own namespace Severity: Low re-scored post-triage; see Maintainer triage note below Affected: modelcontextprotocol/registry main branch at commit fe0cb3b current HEAD as...

CVE-2026-43491

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound checking on the number of servers added per node. A malicious client can flood NEWSERVER messages and exhaust memory. Fix this issue by...

Debian dla-4589 : libnginx-mod-http-auth-pam - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4589 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4589-1 [email protected]...

[SECURITY] [DSA 6278-1] nginx security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6278-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 16, 2026 https://www.debian.org/security/faq -...

BIT-NGINX-GATEWAY-2026-40460 NGINX ngx_quic_module vulnerability

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...