Malicious code in rblx-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 be690c2f32ad941003f8733406643848380c3918af421fa56c8ec0802b9c261d During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

GHSA-W7CF-2PMC-5M4C Apache Airflow exposes SQL stack trace despite "api/expose_stack_traces" set to false

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

[Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data

In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching. For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI age...

CVE-2026-30912

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

PYSEC-2026-18

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

CVE-2026-30912

CVE-2026-30912 concerns Apache Airflow where SQL errors expose exception and stack trace information in the API despite the setting api/expose_stack_traces being disabled. This behavior can leak sensitive information to an attacker. The connected sources consistently indicate the issue affects Ai...

CVE-2026-30912 Apache Airflow: Exposing stack trace in case of constraint error

In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/exposestacktraces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue...

EUVD-2026-23577

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

PT-2026-37109

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.1 Description The bazar module contains a SQL injection flaw in the tools/bazar/services/EntryManager.php file. The issue occurs because the id fiche value, sourced from the $ POST'id fiche' variable, is...

CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-40582 ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication...

CVE-2026-40486

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...

CVE-2026-40480 ChurchCRM has Missing Object-Level Authorization / IDOR in `/api/person/{personId}`

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the GET /api/person/personId endpoint loads and returns person records without performing object-level authorization checks. Although the legacy PersonView.php page enforces canEditPerson restrictions, the API layer...

CVE-2026-40486

Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint PATCH /api/users/id/preferences applies submitted preference values without checking the isEnabled flag on preference objects. Although the hourlyrate and internalrate fields are...

Kimai: Username enumeration via timing on X-AUTH-USER

Details src/API/Authentication/TokenAuthenticator.php calls loadUserByIdentifier first and only invokes the password hasher argon2id when a user is returned. When the username does not exist, the request returns roughly 25 ms faster than when it does. The response body is the same in both cases...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the service invocation access control process. An attacker can bypass access control policies and invoke unauthorized methods by submitting specially crafted method paths containing encoded path traversal...

Dapr: Service Invocation path traversal ACL bypass

Summary A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path...

CVE-2026-40258

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability Zip Slip in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with...

GHSA-5FW2-MWHH-9947 Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials

Summary The text-to-speech generation endpoint POST /api/v1/text-to-speech/generate is whitelisted no auth and accepts a credentialId directly in the request body. When called without a chatflowId, the endpoint uses the provided credentialId to decrypt the stored credential e.g., OpenAI or...