GHSA-7QHF-V65M-G5F3 mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization

In mlflow/mlflow, the FastAPI job endpoints under /ajax-api/3.0/jobs/ are not protected by authentication or authorization when the basic-auth app is enabled. This vulnerability affects the latest version of the repository. If job execution is enabled MLFLOWSERVERENABLEJOBEXECUTION=true and any j...

Juju: Read All Controller Logs From Compromised Workload

Summary It is possible that a compromised workload machine under a Juju controller can read any log file for any entity in any model at any level. There is a debug log endpoint in the API server that allows streaming of logs off of the controller. To access this endpoint you must be authenticatio...

Malicious code in strapi-plugin-api (npm)

strapi-plugin-api is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. It...

MAL-2026-2451 Malicious code in strapi-plugin-api (npm)

strapi-plugin-api is a malicious npm package disguised as a Strapi CMS plugin. On install, it runs a postinstall script that executes an 11-phase attack: stealing .env files, environment variables, Strapi configuration, private keys, Redis data, Docker/Kubernetes secrets, and network topology. It...

[SECURITY] Fedora 42 Update: gstreamer1-vaapi-1.26.11-1.fc42

A collection of GStreamer plugins to let you make use of VA API video acceleration from GStreamer applications. Includes elements for video decoding, display, encoding and post-processing using VA API subject to hardware limitations...

CVE-2026-25118

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within t...

GHSA-3MWP-WVH9-7528 vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

Summary A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an...

vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

Summary A Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an...

JLSEC-2026-48

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistake...

PT-2026-30243

Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated...

MLflow 访问控制错误漏洞

MLflow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible executions, and sharing and deploying models. There is a security vulnerability in MLflow, which stems from the lack of authentication or...

PT-2026-30226

prompts.chat prior to commit 1464475 contains a blind server-side request forgery vulnerability in the Wiro media generator that allows authenticated users to perform server-side fetches of user-controlled inputImageUrl parameters. Attackers can exploit this vulnerability by sending POST requests...

PT-2026-30230

Name of the Vulnerable Software and Affected Versions versions affected versions not specified Description An authenticated user can access other user profiles by manipulating the id number within an API call. This occurs through a specific API endpoint. Recommendations At the moment, there is no...

Piwigo SQL注入漏洞

Piwigo is a web-based open-source image library software developed by Piwigo contributors. This software includes functions such as image management, image classification, and permission management. Versions of Piwigo prior to 16.3.0 had a SQL injection vulnerability. This vulnerability stemmed...

PT-2026-30228

prompts.chat prior to commit 30a8f04 contains a server-side request forgery vulnerability in Fal.ai media status polling that allows authenticated users to perform arbitrary outbound requests by supplying attacker-controlled URLs in the token parameter. Attackers can exploit the lack of URL...

Gardyn Home Kit Cloud API和Gardyn Mobile Application 信任管理问题漏洞

Gardyn Home Kit Cloud API and Gardyn Mobile Application are products of the American company Gardyn. Gardyn Home Kit Cloud API is an indoor hydroponic cultivation system. Gardyn Mobile Application is a mobile control application. There are security vulnerabilities in Gardyn Home Kit Cloud API and...

PraisonAI 安全漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.90 contained security vulnerabilities. These vulnerabilities stemmed from the passthrough and apassthrough functions accepting an apibase parameter controlled by the caller...

Ubuntu 14.04 LTS / 16.04 LTS : Linux kernel vulnerabilities (USN-8143-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8143-1 advisory. Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update...

CVE-2026-35466

XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services...