PT-2026-31451

FrontMCP is a TypeScript-first framework for the Model Context Protocol MCP. Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenA...

InvenTree 授权问题漏洞

InvenTree is an open-source inventory management system developed by InvenTree. It provides robust low-level inventory control and parts tracking capabilities. Versions of InvenTree prior to 1.2.7 and 1.3.0 contained authorization vulnerabilities. These vulnerabilities stemmed from improper...

PT-2026-31350

Summary The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected...

PT-2026-31285

Summary The LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid,...

PT-2026-31334

Name of the Vulnerable Software and Affected Versions Kibana affected versions not specified Description An issue exists in Kibana where incorrect authorization can lead to information disclosure through privilege abuse. A user with limited Fleet privileges can exploit an internal API endpoint to...

XWiki Platform 安全漏洞

The XWiki Platform is an open-source wiki platform designed for creating web collaboration applications. Versions of the XWiki Platform prior to 17.4.8 and 17.10.1 contained security vulnerabilities. These vulnerabilities stemmed from inadequate protection of the script API, allowing users with...

PT-2026-31541

Name of the Vulnerable Software and Affected Versions GitLab EE versions 11.3 through 18.8.9, 18.9 through 18.9.5, and 18.10 through 18.10.3 Description GitLab EE was found to have improper authorization checks in the API. This allowed an authenticated user with developer-role permissions to modi...

PT-2026-32978

OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground...

Gitlab -- vulnerabilities

Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of Service issue in Terraform state lock API impacts GitLab CE/EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Denial of Service issue in CSV import impacts GitLab CE/EE Denial of Service issu...

GitLab 11.3 < 18.8.9 / 18.9 < 18.9.5 / 18.10 < 18.10.3 (CVE-2026-1752)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-ro...

WordPress MainWP Child Reports plugin <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API vulnerability

Missing Authorization to Authenticated Subscriber+ Information Disclosure via Heartbeat API vulnerability discovered by Hunter Jensen skid in WordPress Plugin MainWP Child Reports versions = 2.2.6...

CVE-2026-35179

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the SocialMediaPublisher plugin exposes a publishInstagram.json.php endpoint that acts as an unauthenticated proxy to the Facebook/Instagram Graph API. The endpoint accepts user-controlled parameters including an access...

CVE-2026-35442

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions min, max applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated...

WordPress Elementor Website Builder plugin <= 3.35.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via REST API vulnerability discovered by andrea bocchetti in WordPress Plugin Elementor Website Builder versions = 3.35.5...

GHSA-WPWF-V25W-54G3 PowerJob's GroovyEvaluator.evaluate endpoint vulnerable to code injection

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

GHSA-2H6J-MHCP-9J9H GenieACS has an unauthenticated access vulnerability via the NBI API endpoint

In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint...

CVE-2026-5739

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

CVE-2026-39397 @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...

CVE-2026-39397

@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/ CRUD endpoint handlers registered by createPuckPlugin called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The...