Improper Check or Handling of Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check or Handling of Exceptional Conditions via the launcher endpoint when an authenticated host sends an unexpected log type value. An attacker can cause the server process to terminate immediately, disrupting all connected...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the host transfer API due to missing authorization checks on the source team. An attacker can gain unauthorized control over hosts belonging to other teams by initiating a transfer, resulting in the ability to...

Server-side Request Forgery (SSRF)

Overview @clerk/backend is a Clerk Backend SDK - REST Client for Backend API & JWT verification utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clerkFrontendApiProxy function. An attacker can obtain secret keys by crafting a request path that...

GHSA-GJXX-92W9-8V8F Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

0lever-utils (>=0.0.2 <=0.0.7), 0x-web3 (=5.0.0a5) +6240 more potentially affected by CVE-2026-34073 via cryptography (>=0.6.1 <=46.0.5)

cryptography PYPI version =0.6.1, =0.0.2, =2.3.84, =0.1.0, =2.3.0, =0.1.0, =0.5.0rc5, =0.9.2, =0.4.24, =0.1.0, =0.1.3, =0.0.1, =0.1.5, =0.1.1, =0.1.9 and more Source cves: CVE-2026-34073 Source advisory: OSV:GHSA-M959-CC7F-WV43...

GHSA-QH6H-P6C9-FF54 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Summary Multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to loadprompt or loadpromptfromconfig...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

CVE-2026-34385

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

Changedetection.io Discloses Environment Variables via jq env Builtin in Include Filters

Summary The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user or unauthenticated user when no password is set, the default can leak sensitive environment variables...

CVE-2026-34386

Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...

CVE-2026-29180

Fleet is open source device management software. Prior to 4.81.1, a broken access control vulnerability in Fleet's host transfer API allows a team maintainer to transfer hosts from any team into their own team, bypassing team isolation boundaries. Once transferred, the attacker gains full control...

CVE-2026-34369

CVE-2026-34369 affects WWBN AVideo prior to patch be344206f2f461c034ad2f1c5d8212dd8a52b8c7. In versions up to 26.0, the get_api_video_file and get_api_video API endpoints return full video playback sources (direct MP4 URLs, HLS manifests) for password-protected videos without verifying the video ...

CVE-2026-34369

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal we...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

EUVD-2026-16462

Incus vulnerable to local privilege escalation through VM screenshot path...

CVE-2026-33469

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In version 0.17.0, an authenticated non-admin user can retrieve the full raw Frigate configuration through /api/config/raw. This exposes sensitive values that are intentionally redacted from /api/config,...

PYSEC-2026-3 Two telnyx versions published containing credential harvesting malware

After an API token exposure from an exploited Trivy dependency, two new releases of telnyx were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Compromised versions execute code during importing the telnyx...

MAL-2026-2271 Malicious code in metamask-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 d741c998a924aa720c19f13cbb622ebb5862abde8765dac7f8bb2cf1b219c3dc Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

MAL-2026-2272 Malicious code in solana-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f0a22ac83bdfd88312e7d422a0e3c27531ccdb7a6c6e4afa1ae513bb9aecf41f Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

MAL-2026-2268 Malicious code in gemini-ai-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 db2be37ea455b54b825242a3f66310fdf3f70e50b1dc1a234fa3ebb534afa857 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...