EUVD-2026-31861

Bugsink: Issue event views can show an event from another project if its UUID is known...

CVE-2026-46401

creationtimestamp| type| source ---|---|--- 2026-06-05 21:03:38+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkzzec5z52k...

CVE-2026-11414

creationtimestamp| type| source ---|---|--- 2026-06-05 21:00:38+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkztxyif42t 2026-06-06 10:30:27+00:00| seen| https://infosec.exchange/users/offseq/statuses/116702696330101939 2026-06-06 10:30:29+00:00| seen|...

CVE-2026-11419

creationtimestamp| type| source ---|---|--- 2026-06-05 20:50:55+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkzcm7lbt24 2026-06-06 04:30:29+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mnlsyefnvw23 2026-06-06 04:30:42+00:00| seen|...

CVE-2026-25621

creationtimestamp| type| source ---|---|--- 2026-06-05 20:47:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkz3nk4lf2l...

CVE-2026-25622

creationtimestamp| type| source ---|---|--- 2026-06-05 20:41:59+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkysnfjio2u...

CVE-2025-62319

creationtimestamp| type| source ---|---|--- 2026-06-05 20:37:37+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mnkyjvtcie22...

Malicious Package

Overview cookie-parser-legacy is a malicious package. This package contains malicious code that uses another malicious package moustick Snyk Advisory as a dependency to fetch a remote payload from attacker-controlled URL https://www.jsonkeeper.com/b/MYUKZ. The payload is designed to extract...

CVE-2026-45748

creationtimestamp| type| source ---|---|--- 2026-06-05 19:51:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkvyhgz6d2h 2026-06-05 21:01:21+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnkzv7od4t25 2026-06-08 16:37:06+00:00| seen|...

CVE-2026-7150

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generatefaviconfromurl of the file src/autofavicon/server.py of the component MCP Tool. The manipulation of the argument imageurl results in server-side request forgery...

CVE-2026-7085

A vulnerability was determined in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. It is possible to initiate the...

CVE-2026-34476

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP. This issue affects Apache SkyWalking MCP: 0.1.0. Users are recommended to upgrade to version 0.2.0, which fixes this issue...

CVE-2026-34685

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing. are affected by an Improper Input...

CVE-2026-30346

An open redirect in the /api/google/authorize endpoint of hunvreus DevPush v0.3.2 allows attackers to redirect users to malicious sites via supplying a crafted URL...

CVE-2026-49328

Server-Side Request Forgery SSRF in the UrlImageConverter component of Apache Fesod Incubating fesod-sheet before 2.0.2-incubating allows attackers to cause outbound network requests to internal or otherwise restricted resources via a user-supplied image URL. Users are recommended to upgrade to...

CVE-2026-10690

A vulnerability was identified in wonderwhy-er DesktopCommanderMCP 0.2.37. This affects the function readFileFromUrl of the file src/tools/filesystem.ts of the component readfile. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote...

CVE-2026-10661

A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blendermcp/server.py. The manipulation of the argument inputimageurl leads to injection. Remote exploitation of the attack is possible. The exploit...

CVE-2026-6618

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

CVE-2026-33659

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery SSRF via a DNS rebinding TOCTOU condition. Host validation uses dnsgetrecord but the actual HTTP...

CVE-2026-42525

Jenkins Microsoft Entra ID previously Azure AD Plugin 666.v6060de32f87d and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks...