Malicious code in ssf-desktop-api-electron (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49396220b88ccf03b280b2ccbf09f84a3c871d1877ca7db06fd0e3fb78221305 The package ssf-desktop-api-electron was found to contain malicious code...

GHSA-RF6X-R45M-XV3W Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

Detection Method: Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | src/backend/base/langflow/api/v1/apikey.py:44-53 | | Practical Exploitability | High | | Developer Approver | [email protected] | Description The deleteapikeyroute endpoint accepts an apikeyid path parameter a...

Malicious code in internal-api-insights (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b02a86affbdb1f89c5fff800bc1a2c78125d1536f84ed7caa8507f14d0ebf5c The package internal-api-insights was found to contain malicious code...

MAL-2026-1752 Malicious code in internal-api-insights (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7b02a86affbdb1f89c5fff800bc1a2c78125d1536f84ed7caa8507f14d0ebf5c The package internal-api-insights was found to contain malicious code...

Malicious code in @panopto/api-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02e9e606e2aef11de752a18ad63f5772f485bb0fd40f66cc61b2e0f9a5ffe26f The package @panopto/api-core was found to contain malicious code...

MAL-2026-1634 Malicious code in @panopto/api-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 02e9e606e2aef11de752a18ad63f5772f485bb0fd40f66cc61b2e0f9a5ffe26f The package @panopto/api-core was found to contain malicious code...

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API...

CVE-2026-33265

In LibreChat 0.8.1-rc2, a logged-in user obtains a JWT for both the LibreChat API and the RAG API...

CVE-2025-41258 LibreChat RAG API Authentication Bypass

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

CVE-2025-41258 LibreChat RAG API Authentication Bypass

LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...

Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS

Apple on Tuesday released its first round of Background Security Improvements to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as CVE-2026-20643 CVSS score: N/A, has been described as a cross-origin issue in WebKit's Navigation API that could be...

CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2026-32596 Glances exposes the REST API without authentication

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...

CVE-2026-31891

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

UBUNTU-CVE-2026-31891

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

CVE-2026-31891

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

CVE-2026-31891 Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

Cockpit is a headless content management system. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected by a a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any deployment where the /api/content/aggregate/model endpoint is...

EUVD-2026-12749

Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation, and client-server communication. Prior to version 1.4.27, an Elysia cookie can be overridden by prototype pollution , eg. proto. This issue is patched in 1.4.27. As a workaround, use t.Cookie validatio...

WordPress plugin KiviCare 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...