EUVD-2026-35193

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3...

CVE-2026-46484

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3...

PT-2026-47447

Headplane is a feature-complete Web UI for Headscale. Prior to versions 0.6.3 and 0.7.0-beta.3, Headplane was vulnerable to a path traversal / authorization bypass in the Headscale API client used by node and user rename operations. This issue has been patched in versions 0.6.3 and 0.7.0-beta.3...

@n8n/ai-workflow-builder (>=1.10.0 <=1.20.1), @n8n/backend-common (>=1.19.0 <=1.20.1) +8 more potentially affected by CVE-2026-44792 via @n8n/api-types (>=1.0.0-rc.0 <=1.20.0)

@n8n/api-types NPM version =1.0.0-rc.0, =1.10.0, =1.19.0, =1.0.0, =1.3.0, =1.0.0, =1.19.0, =1.0.0, =2.0.0, =2.19.0, =2.19.0, =2.20.2 Source cves: CVE-2026-44792 Source advisory: SNYK:JS-N8NAPITYPES-16726403...

CVE-2026-44694 n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client N8NAPIURL, a...

CVE-2026-44694 n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. From version 2.18.7 to before version 2.50.2, there is an authenticated server-side request forgery vulnerability affecting the webhook trigger tools, the n8n API client N8NAPIURL, a...

NPM: n8n-mcp webhook and API client paths has an authenticated SSRF

NPM: n8n-mcp webhook and API client paths has an authenticated SSRF vulnerability discovered by ? in WordPress Npm n8n-mcp versions = 2.18.7, 2.50.2...

EUVD-2026-28825

n8n-mcp webhook and API client paths has an authenticated SSRF...

n8n-mcp webhook and API client paths has an authenticated SSRF

Summary Authenticated Server-Side Request Forgery affecting the webhook trigger tools, the n8n API client N8NAPIURL, and per-request URLs supplied via the x-n8n-url header in multi-tenant HTTP mode. Impact A caller with access to the MCP session can drive HTTP requests from the n8n-mcp host to...

com.akamai.edgegrid:edgegrid-signer-async-http-client (>=6.0.1 <=6.0.3-rc.1), com.arpnetworking.metrics:mad-experimental (>=1.2.4 <=1.2.11) +66 more potentially affected by CVE-2026-40490 via org.asynchttpclient:async-http-client (>=3.0.0.Beta1 <=3.0.7)

org.asynchttpclient:async-http-client MAVEN version =3.0.0.Beta1, =6.0.1, =1.2.4, =1.22.5, =1.13.8, =1.1.0, =0.4.8, =0.4.8, =0.4.8, =1.17.0, =1.17.0, =1.17.0, =0.5.0, =2.7.3, =218.0.0, =14.5.0, =16.0.0 and more Source cves: CVE-2026-40490 Source advisory: OSV:GHSA-CMXV-58FP-FM3G...

Malicious code in stats-api-js-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a84f9d7eef71d2b99a244ec63f5144ad80a0084e6c20fc903a1bbce208ad9777 The package stats-api-js-client was found to contain malicious code. Source: ghsa-malware...

Sonicverse 代码问题漏洞

Sonicverse is an open-source, hosted real-time radio audio streaming solution developed by Sonicverse. There are code-related vulnerabilities in Sonicverse; these vulnerabilities stem from the API client accepting user-controlled URLs with insufficient validation. This could allow authenticated...

User Impersonation

Overview @n8n/rest-api-client is a This package contains the REST API calls for n8n. Affected versions of this package are vulnerable to User Impersonation in the account linking when LDAP authentication is enabled. An attacker can gain unauthorized access to another user's account, including...

MAL-2026-1424 Malicious code in @3stripes/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1644f08d12a97a4daeeca3e4195d91585bdbe1a8c2085fa918a92427cf1ee99f The package @3stripes/api-client was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @3stripes/api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1644f08d12a97a4daeeca3e4195d91585bdbe1a8c2085fa918a92427cf1ee99f The package @3stripes/api-client was found to contain malicious code. Source: ossf-package-analysis...

RustDesk 安全漏洞

RustDesk is a remote access and control software developed by RustDesk personal developers. It is primarily written in Rust and can be used to maintain computers and other devices remotely. Versions of RustDesk 1.4.5 and earlier contain security vulnerabilities. These vulnerabilities stem from...

[SECURITY] Fedora 42 Update: rust-app-store-connect-0.5.0-6.fc42

Apple App Store Connect API and client...

Malicious Package

Overview lumo-api-client is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in lumo-api-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ab5d24591ceb311425ae395bd2b1bf7f82818bd6c7946d669a19c619462fd755 The package lumo-api-client was found to contain malicious code. Source: ghsa-malware da916419989a0707bcaa3fc59ba24e3ef90e2ec5df35aa6cc1e81f8d3cb82c6...

EUVD-2026-3711

Malicious code in lumo-api-client npm...