32101 matches found
CVE-2026-53450
The CVE-2026-53450 entry affects Coturn (TURN/STUN server). A defect in prior releases (
CVE-2026-53450 Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN...
CVE-2026-49866
creationtimestamp| type| source ---|---|--- 2026-07-10 16:41:48+00:00| seen| https://gist.github.com/alon710/9eaabfe8d7f17c883b344ecc760d4947 2026-07-10 18:35:05+00:00| published-proof-of-concept| https://github.com/libp2p/js-libp2p/security/advisories/GHSA-cwc9-cp4j-mcvv...
Malicious code in stella-ai-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863 The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP...
MAL-2026-10133 Malicious code in stella-ai-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863 The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP...
CVE-2026-38059
The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...
EUVD-2026-42908
The iDirect iQ200 exposes the /api/identity and /api/ REST API endpoints without authentication. An unauthenticated attacker with network access can retrieve sensitive device information including the serial number, Device ID DID, Terminal Private Key identifier TPK, MAC address, and exact firmwa...
CVE-2026-38059
The CVE-2026-38059 entry concerns iDirect iQ200 devices where the /api/identity and /api/ REST endpoints are exposed without authentication. An unauthenticated attacker with network access can retrieve sensitive device data including serial number, Device ID (DID), Terminal Private Key (TPK) iden...
CVE-2026-29519 Lucee CFML Server Reflected XSS via URL Path Parsing
Lucee CFML Server versions across the 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines contain a reflected cross-site scripting vulnerability in URL path parsing that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by embedding HTML or JavaScript payloads...
CVE-2026-60091 PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url
PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhookurl parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a...
Improper Input Validation
github.com/coder/coder is vulnerable to Improper Input Validation. The vulnerability is due to insufficient validation of the scheme and host in external workspace application URLs before substituting the $SESSIONTOKEN placeholder, which allows an attacker controlling a malicious workspace templa...
EUVD-2026-42830
The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator emai...
CVE-2026-12685
The CVE describes a backdoor in the EscortWP escortwp WordPress theme up to version 3.6.2. The backdoor is vendor-authored and obfuscated, allowing an unauthenticated attacker who supplies a hard-coded per-build key to permanently delete all site content. It also covertly transmits the site URL, ...
CVE-2026-12685 EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor
The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator emai...
EUVD-2026-34013
Tesla vulnerable to atom exhaustion via untrusted URL scheme...
CVE-2026-59831
GitHub CLI gh is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopbac...
CVE-2026-33655
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...
MAL-2026-10104 Malicious code in px8my (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c972c885927d861e92a964b7ab752e5e91ae2731092a51b08a64fbf97f015cdf The package's main entry px.js is a browser-only script that creates a full-viewport iframe pointing at the hardcoded external URL...
CVE-2026-33655
The CVE-2026-33655 issue affects New API prior to version 0.12.0-alpha.1 where SSRF protection did not apply IP filtering to hostnames by default due to ApplyIPFilterForDomain being disabled. Authenticated users could configure notification URLs (Webhook, Bark, Gotify) that resolve to internal or...
CVE-2026-59831 GitHub CLI `gh codespace jupyter` could allow remote code execution when connecting to a malicious Codespace
GitHub CLI gh is GitHub’s official command line tool. From 2.10.0 through 2.95.0, connecting to a malicious Codespace with gh codespace jupyter can allow command execution because the command opens a JupyterLab URL supplied by a process inside the Codespace without validating that it is a loopbac...