CVE-2026-4502

CVE-2026-4502 affects Langflow OSS Desktop and Langflow v2 API: authenticated attackers can exploit path traversal via /../ in multipart uploads to write arbitrary files and potentially achieve remote code execution. In IBM bulletins, Langflow OSS versions 1.2.0–1.8.4 are vulnerable through the f...

CVE-2026-4502 Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

CVE-2026-4502 Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to write arbitrary files on the system...

CVE-2026-6911

Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the...

CVE-2026-6706

Improper access control in the vault documentation feature in Devolutions Server allows an authenticated attacker to read documentation content from unauthorized vaults via a crafted API request. This issue affects Server: from 2026.1.6.0 through 2026.1.14.0, through 2025.3.18.0...

CVE-2026-40601 Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

EUVD-2026-26409

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

CVE-2026-40601

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

Weblate Doesn't Invalidate API Token on Password Change

Impact When a user changes their password, browser sessions are correctly invalidated via cyclesessionkeys, but DRF API tokens wlu prefix stored in authtokentoken are not revoked. Patches https://github.com/WeblateOrg/weblate/pull/19057 Resources Weblate thanks Sang Yu Jeon for reporting this via...

CVE-2026-7500 Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-7306

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument defaulttok...

CVE-2026-7500

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

Exploit for CVE-2026-31431

CVE-2026-31431 LPE PoC Rust Implementation This project is...

Exploit for CVE-2026-31431

Author: 0xShe Language / 语言 - English: https://github.com/0xSh...

pentest-web-plugin

Pentest-Web – Claude Code Website Penetration Testing Plugin...

Important: Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.10.2

Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.10.2 General Availability release, with updates to container images. Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.10.2 release that simplify the process of...

Exploit for CVE-2026-41940

cPanel/WHM Auth Bypass Scanner & Exploit Tool A Go command-li...

[SECURITY] Fedora 43 Update: binaryen-126-1.fc43

Binaryen is a compiler and toolchain infrastructure library for WebAssembly, written in C++. It aims to make compiling to WebAssembly easy, fast, and effective: Easy: Binaryen has a simple C API in a single header, and can also be used from JavaScript. It accepts input in WebAssembly-like form bu...

CVE-2026-7468 1024-lab smart-admin Demo Site index.html access control

A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has bee...

Malicious code in robase-dnb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 24da23c2c626baf8f3c35e8c5000506cdadb4d8129d0e4350b262a0e3922d8c7 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...