Malicious code in @redhat-cloud-services/tsc-transform-imports (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens

A malicious Codex UI npm package with 27,000 weekly downloads was caught exfiltrating OpenAI refresh tokens, exposing developers to account takeover risks...

CVE-2026-10163

A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is...

EUVD-2026-33482

A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is...

EUVD-2026-33455

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...

CVE-2026-7459 Simple History – Track, Log, and Audit WordPress Changes <= 5.26.0 - Authenticated (Subscriber+) Account Takeover via Missing Authorization on Event Reaction Endpoint

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...

Exploit for CVE-2026-8732

CVE-2026-8732 — WP Maps Pro ≤ 6.1.0 ♡ Unauthenticated Privil...

PT-2026-45088

Name of the Vulnerable Software and Affected Versions Simple History versions prior to 5.26.1 Description The Simple History plugin for WordPress allows authenticated users with Subscriber-level permissions or higher to take over accounts. The issue exists in the event reaction endpoints...

Malicious Package

Overview axis-abc-search-account is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

CVE-2026-20182

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show...

CVE-2026-45294 FreeScout: User Account Enumeration via Password Reset Response Differentiation

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerat...

CVE-2026-45294

FreeScout (PHP/Laravel) before version 1.8.219 is vulnerable. The password reset endpoint returns visually distinct responses based on whether the submitted email belongs to an existing user, enabling unauthenticated enumeration of valid helpdesk agent email addresses. Root cause: inadequate obfu...

CVE-2026-42951

An authenticated user can download a backup of the Danelec MacGregor Voyage Data Recorder device which includes account data and password hashes...

CVE-2026-40425

The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password...

CVE-2026-49367

CVE-2026-49367 affects JetBrains IntelliJ IDEA prior to 2026.1.1. The issue enables command execution via the guest user account. The available sources in the provided documents describe the vulnerability at a high level (guest-user-triggered command execution) without detailing the exact exploit...

EUVD-2026-33415

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

CVE-2026-49367

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...

EUVD-2026-33403

The administrator account for the Danelec MacGregor Voyage Data Recorder web interface can directly edit sensitive files related to authentication, potentially changing the root password...

CVE-2026-44648

CVE-2026-44648 affects SillyTavern where authentication relies on cookie-session, storing session data in a signed client cookie. Prior to version 1.18.0, endpoints POST /api/users/change-password and POST /api/users/recover-step2 only update the password hash and do not expire existing sessions,...

CVE-2026-44648 SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data user handle,...