CVE-2026-57913

Johnson & Johnson Audit Tracking Management System ATMS before 2026-04-21 allows viewing of meeting minutes and transcripts...

CVE-2026-57913

Johnson & Johnson Audit Tracking Management System ATMS before 2026-04-21 allows viewing of meeting minutes and transcripts...

EUVD-2026-39644

Johnson & Johnson Audit Tracking Management System ATMS before 2026-04-21 allows viewing of meeting minutes and transcripts...

CVE-2026-57913

CVE-2026-57913 affects Johnson & Johnson ATMS (Audit Tracking Management System) prior to 2026-04-21, enabling viewing of meeting minutes and transcripts. The available data do not specify root cause, affected versions beyond the date, or exploitable vectors beyond unauthenticated access indicate...

CVE-2026-57913

Johnson & Johnson Audit Tracking Management System ATMS before 2026-04-21 allows viewing of meeting minutes and transcripts...

CVE-2026-55197

Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET...

CVE-2026-55198 Hermes WebUI < 0.51.443 - Cross-Profile Session Data Exfiltration via Session Export Endpoint

Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...

CVE-2026-55197 Hermes WebUI < 0.51.443 - Broken Access Control in /api/session Endpoint

Hermes WebUI before 0.51.443 contains a broken access control vulnerability in the /api/session endpoint that allows authenticated users to disclose cross-profile session transcripts. Attackers can bypass profile boundary checks by directly querying session IDs belonging to other profiles via GET...

CVE-2026-55197

Hermes WebUI before 0.51.443 has a broken access control weakness in the /api/session endpoint. Authenticated users can bypass profile boundaries and query session IDs from other profiles via GET /api/session?session_id=&messages=1 to retrieve unauthorized transcripts and metadata. This affects t...

EUVD-2026-36308

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying...

CVE-2026-47177 Quest Bot: Ticket transcripts can disclose private ticket contents to a lower-visibility channel

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.4, a user who can configure bot settings can set the ticket transcript channel to a channel they can read. When tickets are closed, the bot exports the full ticket history and sends it ...

CVE-2026-47177

Quest Bot: Affects versions before 1.0.4. If a user with config access sets the ticket transcript channel to a channel they can read, closing tickets causes the bot to export the full ticket history to that transcript channel, potentially exposing private messages to users who could not read the ...

PT-2026-48732

Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript content from loopback addresses, link-local addresses, RFC 1918 private ranges, or other reserved destinations by supplying...

CVE-2026-49956

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to...

CVE-2026-49956 Hermes WebUI < 0.51.269 Profile Isolation Bypass via sessions search

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to...

PT-2026-47854

Hermes WebUI before version 0.51.269 contains a profile isolation bypass vulnerability that allows authenticated users to access data belonging to other profiles by querying the session search endpoint without active-profile filtering. Attackers can send requests to the sessions search handler to...

CVE-2026-25058

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa transcription-collector service exposes an internal endpoint GET /internal/transcripts/meetingid that returns transcript data for any meeting without any authentication or...

The Importance of Out-Of-Band Metadata for Safe Autonomous Agents: The Redpanda Agentic Data Plane

AI agents are increasingly expected to operate as digital employees: accessing enterprise data, making decisions, and taking actions autonomously. But agents are simultaneously less predictable than humans -- prone to hallucination, misinterpretation, and adversarial manipulation -- and more...

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83b229927c5bc228764ab11651b10bd06c6ff61edffa820a632c343aeec13037 The package configures Langfuse tracing for Claude Code, Codex, and OpenCode. When the operator runs the bundled CLI without explicitly overriding...

MAL-2026-4375 Malicious code in @citely/mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55faa6dd8d70be846b57b28ce2665a4a6bc1eafa6898f5f4f2cc8b25d96e1358 On startup of the documented entrypoint npx @citely/mcp-server, setupServer unconditionally invokes void runHarvest in dist/index.js. The harvester...