CVE-2026-7468 1024-lab smart-admin Demo Site index.html access control

A security vulnerability has been detected in 1024-lab smart-admin up to 3.30.0. This affects an unknown function of the file /smart-admin-api/druid/index.html of the component Demo Site. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has bee...

Malicious code in robase-dnb (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 24da23c2c626baf8f3c35e8c5000506cdadb4d8129d0e4350b262a0e3922d8c7 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from the fact that the Account REST API is only partially disabled. Five endpoints remain fully functional, and there is no gatekeeper for...

PT-2026-36099

Name of the Vulnerable Software and Affected Versions Otter Blocks versions prior to 3.1.5 Description The plugin is subject to a purchase verification bypass. The get customer data method relies on an unsigned o stripe data cookie to determine product ownership for unauthenticated users...

EUVD-2026-26380

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...

CVE-2026-36959

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...

CVE-2026-36956

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An...

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

PT-2026-36175

Name of the Vulnerable Software and Affected Versions Secure Access Windows client versions prior to 14.50 Description An arbitrary read/write issue exists where attackers with local control of the Windows client can send malformed data to an API to elevate their privileges to system level...

PT-2026-36097

Name of the Vulnerable Software and Affected Versions Multicluster Engine affected versions not specified Red Hat Advanced Cluster Management affected versions not specified Description A flaw in the assisted-service REST API, an optional Assisted Installer component in the Multicluster Engine,...

RHEL 6 : python-urllib3 (RHSA-2026:11722)

The remote Redhat Enterprise Linux 6 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:11722 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic da...

Malicious code in rblx-https (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4b7d7435a6bcfd1a9437108a21af9ca6be7c60aa1e0c6e9e90a40ac43b26cf67 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-3191 Malicious code in rblx-https (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4b7d7435a6bcfd1a9437108a21af9ca6be7c60aa1e0c6e9e90a40ac43b26cf67 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

GHSA-JGVC-94C8-3CHC pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber

Impact OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services. Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default unless...

pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber

Impact OGC API - Process execution requests can use the subscriber object to requests to internal HTTP services. Patches The issue has been patched in master branch and made available as part of the 0.23.3 release. The patch disables any HTTP requests made to internal resources by default unless...

GHSA-R4V6-9FQC-W5JR n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

Impact The dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and u...

n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay

Impact The dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and u...

n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure

Impact An authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing...

Exploit for CVE-2026-31431

Copy Fail CVE-2026-31431 – Exploit Usage Guide ⚠️ Discla...

CVE-2026-7466

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipelinepath parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to...