CVE-2026-33340

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

EUVD-2026-14964

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API...

GHSA-X6W6-2XWP-3JH6 Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

Summary The DomainZones.add API endpoint accessible to customers with DNS enabled does not validate the content field for several DNS record types LOC, RP, SSHFP, TLSA. An attacker can inject newlines and BIND zone file directives e.g. $INCLUDE into the zone file that gets written to disk when th...

GHSA-4753-CMC8-8J9V GoDoxy has a Path Traversal Vulnerability in its File API

Summary The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Joincommon.ConfigBasePath, filename where ConfigBasePath = "config" a relative path. No sanitization or validation is applied beyond checking that...

PYSEC-2026-2 Two litellm versions published containing credential harvesting malware

After an API Token exposure from an exploited Trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. The malicious code runs during importing any module from the...

Malicious code in voodoo-internal-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a66c21f000ea33496a8cd95744872d47bbd617d4a4cabdae400ae0361cf0faf3 The package voodoo-internal-api was found to contain malicious code...

MAL-2026-2396 Malicious code in voodoo-internal-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a66c21f000ea33496a8cd95744872d47bbd617d4a4cabdae400ae0361cf0faf3 The package voodoo-internal-api was found to contain malicious code...

CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...

Malicious code in mollie-api-adapter-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c10d1de6da0a2ac867c4b6359c3e5f8021e49cb6c7572522f1185d02f839fbd4 The package mollie-api-adapter-poc was found to contain malicious code...

MAL-2026-2372 Malicious code in mollie-api-adapter-poc (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c10d1de6da0a2ac867c4b6359c3e5f8021e49cb6c7572522f1185d02f839fbd4 The package mollie-api-adapter-poc was found to contain malicious code...

Important: Red Hat Security Advisory: cert-manager Operator for Red Hat OpenShift 1.17.1

cert-manager Operator for Red Hat OpenShift 1.17.1 The cert-manager Operator for Red Hat OpenShift builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide certificates-as-a-service to...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CVE-2026-33677 Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials basicauthuser and basicauthpassword in plaintext to any user with read access to the project. While the existing code...

CLSA-2026-1774366569 Fix CVE(s): CVE-2026-3497

SECURITY UPDATE: pre-auth crash via GSSAPI key exchange - debian/patches/CVE-2026-3497.patch: replace sshpktdisconnect with sshpacketdisconnect and initialize gssbufferdesc variables in kexgssc.c, kexgsss.c. - CVE-2026-3497...

CVE-2026-33676

Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, when the Vikunja API returns tasks, it populates the relatedtasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. A...

CVE-2026-33668 Vikunja Allows Disabled/Locked User Accounts to Authenticate via API Tokens, CalDAV, and OpenID Connect

Vikunja is an open-source self-hosted task management platform. Starting in version 0.18.0 and prior to version 2.2.1, when a user account is disabled or locked, the status check is only enforced on the local login and JWT token refresh paths. Three other authentication paths — API tokens, CalDAV...

CVE-2026-33668

Vikunja vulnerability (CVE-2026-33668) affects versions prior to 2.2.1. When a user is disabled or locked, status checks are enforced only on local login and JWT refresh paths; API tokens, CalDAV basic auth, and OpenID Connect do not verify user status, allowing disabled/locked users to continue ...

WordPress King Addons for Elementor plugin <= 51.1.49 - Unauthenticated API Keys Disclosure vulnerability

Unauthenticated API Keys Disclosure vulnerability discovered by Ulyses Saicha in WordPress Plugin King Addons for Elementor versions = 51.1.49...

CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 External Control of File Name, leading to the root architectural issue within LocalStorageService remaining unresolved. Because the underlying...