CVE-2026-8477

Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue...

CVE-2026-9224

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

PT-2026-42790

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and...

CVE-2026-6341

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

CVE-2026-6341

Mattermost advisories describe a vulnerability in Mattermost Plugins affecting versions

CVE-2026-6341 Incomplete group locking implementation

Mattermost Plugins versions =11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID:...

EUVD-2026-27847

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability ...

CVE-2026-20034

Cisco Unity Connection’s web-based management interface is affected by a vulnerability where insufficient validation of user-supplied input enables an authenticated attacker, with valid credentials, to submit a crafted API request and execute arbitrary code as root. The impact is potentially comp...

EUVD-2026-23849

Information exposure vulnerability has been identified in Apache Kafka. The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By default, the log level is set to INFO level. If the DEBUG level is enabled, the sensitive information wi...

CVE-2026-3524

Mattermost Plugin Legal Hold versions =1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID:...

CVE-2026-5708

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio RES prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with...

EUVD-2026-19231

Mattermost Plugin Legal Hold versions =1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID:...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the task comments process. An attacker can access unauthorized comment data by manipulating identifiers in API requests. Remediation Upgrade code.vikunja.io/api/pkg/models to version...

CVE-2026-3638

Improper access control in user and role restore API endpoints in Devolutions Server 2025.3.11.0 and earlier allows a low-privileged authenticated user to restore deleted users and roles via crafted API requests...

CVE-2025-14573

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

PT-2026-8360

Name of the Vulnerable Software and Affected Versions SmarterTools SmarterMail versions prior to 9526 Description SmarterTools SmarterMail is susceptible to a cross-site scripting XSS issue through MAPI requests. The issue allows for the injection of malicious scripts via crafted MAPI requests...

MAL-2026-641 Malicious code in connections-api-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5d9023bd1b2434b0519e9f26fe6d776297700ef0d80c05ba50ead13c6e3d61bb Importing the module downloads and starts remote executable identified as malware --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in connections-api-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5d9023bd1b2434b0519e9f26fe6d776297700ef0d80c05ba50ead13c6e3d61bb Importing the module downloads and starts remote executable identified as malware --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-639 Malicious code in connection-api-requests (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1e1edf0790733aa25ad085b523a095b1ee4abee84eca696bbcaf1682cca2c2ad Importing the module downloads and starts remote executable identified as malware --- Category: MALICIOUS - The campaign has clearly malicious intent, like...