PT-2026-32432

Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be...

📄 FacturaScripts SQL Injection

FacturaScripts versions prior to 2025.81 suffer from a remote SQL injection vulnerability in the API ORDER BY clause. CVE-2026-25513: FacturaScripts has SQL Injection in API ORDER BY Clause Overview | Field | Details | |---|---| | CVE ID | CVE-2026-25513 | | Severity | HIGH | | Advisory | View...

PT-2026-32408

Incorrect Authorization CWE-863 in Kibana can lead to information disclosure via Privilege Abuse CAPEC-122. A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be...

WPProbe Plugin Enumeration Tool 0.11.8

A fast WordPress plugin and theme scanner that detects installed plugins via REST API enumeration and themes from HTML discovery, then maps them to known vulnerabilities. Over 5,000 plugins detectable without brute-force, thousands more with it...

PT-2026-32328

Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject without any class filtering or...

Ubuntu Pro Realtime 22.04 LTS : Linux kernel (Intel IoTG Real-time) vulnerabilities (USN-8164-1)

The remote Ubuntu Pro Realtime 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8164-1 advisory. Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker coul...

Malicious code in bloxy-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 943946978741dfa911109b549544e9c3fc70eb20bd14505039ea3d0f52625d77 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

MAL-2026-2569 Malicious code in bloxy-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 943946978741dfa911109b549544e9c3fc70eb20bd14505039ea3d0f52625d77 During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

[SECURITY] Fedora 42 Update: libmicrohttpd-1.0.3-1.fc42

GNU libmicrohttpd is a small C library that is supposed to make it easy to run an HTTP server as part of another application. Key features that distinguish libmicrohttpd from other projects are: C library: fast and small API is simple, expressive and fully reentrant Implementation is http 1.1...

EUVD-2026-21715

A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function postdata.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used...

CVE-2026-6119

A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function postdata.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used...

Server-side Request Forgery (SSRF)

Overview AstrBot is a 易上手的多平台 LLM 聊天机器人及开发框架 Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the postdata.get function of the API Endpoint component. An attacker can access internal resources or perform unauthorized requests by sending crafted requests to...

GHSA-W287-WWHF-95VV MetaGPT has an eval injection via a cross-site request forgery attack

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack...

Cross-site Request Forgery (CSRF)

Overview metagpt is a The Multi-Agent Framework Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the evaluateCode function in the Mineflayer HTTP API. An attacker can execute unauthorized actions by tricking a user into making unwanted requests. Remediation...

MetaGPT has an eval injection via a cross-site request forgery attack

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack...

CVE-2026-6109

The CVE-2026-6109 entry describes a vulnerability in FoundationAgents MetaGPT up to 0.8.1, specifically in the evaluateCode function of metagpt/environment/minecraft/mineflayer/index.js (Mineflayer HTTP API). It enables cross-site request forgery and can be exploited remotely. Public exploit disc...

CVE-2026-6109 FoundationAgents MetaGPT Mineflayer HTTP API index.js evaluateCode cross-site request forgery

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack...

CVE-2026-6109

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack...

thunderbird security update

An update is available for thunderbird. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Mozilla Thunderbird is a standalone mail and newsgroup client. Security...

AstrBot 代码问题漏洞

AstrBot is an open-source multi-platform LLM chatbot and development framework developed by AstrBot. Versions of AstrBot 4.22.1 and earlier contained code vulnerabilities. These vulnerabilities stemmed from improper handling of the postdata.get function in the API Endpoint component, which could...