CVE-2026-31949 LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service DoS vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler...

CVE-2026-31949 LibreChat Denial of Service (DoS) via Unhandled Exception in DELETE /api/convos

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service DoS vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler...

CVE-2026-31882

Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication DAGUAUTHMODE=basic, all Server-Sent Events SSE endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG...

EUVD-2026-12081

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

CVE-2026-31798

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

CVE-2026-30943

Gokapi prior to version 2.2.4 contains an insufficient authorization check in the file replace API. A user with only list visibility permission (UserPermListOtherUploads) could delete another user’s file by abusing the deleteNewFile flag, effectively escalating privileges. The issue is fixed in 2...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the E2E Metadata Parser API endpoint, which processes unbounded request bodies without size restrictions. An authenticated user can cause the server to run out of memory and disru...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the file replace API. An attacker can delete files belonging to other users by abusing insufficient authorization checks on the deleteNewFile flag. Note: This is only exploitable if the attacker has permission...

MAL-2026-1412 Malicious code in project47 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a3f77d5ebfcf087b4f055d7ce552ee0165eadf99d8cc6dcd0f3c767393099d27 Facebook hacking tool that also forces the user to follow specific accounts --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in darkig (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7589c67c4429eabd010f891cb17f893ee11ec3cb873d4a31095cc3592134f762 Instagram hacking tool that also forces the user to follow hardcoded accounts. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-1409 Malicious code in darkig (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7589c67c4429eabd010f891cb17f893ee11ec3cb873d4a31095cc3592134f762 Instagram hacking tool that also forces the user to follow hardcoded accounts. --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in nfd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 09861068d4a40cdebd80dae1ae4db85b45498bdb1f7f039cf44b33f41e68534f Facebook automation/hacking tool, with a part of its code obfuscated. Given that other packages from this uploader exfiltrate user's credentials, this is likel...

BIT-GITLAB-2025-14513 Improper Validation of Specified Quantity in Input in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an unauthenticated user to cause a denial of service condition due to improper input validation when processing specially crafted JSON...

BIT-GITLAB-2025-12697 Improper Encoding or Escaping of Output in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.5 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with maintainer-role permissions to reveal Datadog API credentials under certain conditions...

BIT-WORDPRESS-2026-3906 WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature block-level collaboration annotations was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API createitempermissionscheck method in...

BIT-WORDPRESS-MULTISITE-2026-3906 WordPress 6.9 - 6.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API

WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature block-level collaboration annotations was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API createitempermissionscheck method in...

CVE-2026-2257

The GetGenie WordPress plugin

CVE-2026-3045 Appointment Booking Calendar <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: 1 a non-user-bound publicnonce is exposed to unauthenticated users...

WordPress Appointment Booking Calendar plugin <= 1.6.9.29 - Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure via Settings REST API Endpoint vulnerability discovered by Muhammad Sharief in WordPress Plugin Simply Schedule Appointments versions = 1.6.9.29...

Malicious Package

Overview dell-emc-internal-api-drzak is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...