Exploit for Deserialization of Untrusted Data in Nextgen Mirth_Connect

CVE-2023-43208 — Mirth Connect RCE !Pythonhttps://img.shie...

RLSA-2026:4306 Important: mingw-libpng security update

MinGW Windows Libpng library. Security Fixes: libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API CVE-2026-22801 libpng: libpng: Denial of service and information disclosure via heap buffer over-read in pngimagefinishread CVE-2026-22695...

CVE-2026-2366 Keycloak: keycloak: information disclosure via authorization bypass in admin api

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim'...

CVE-2026-2366

CVE-2026-2366 – Keycloak Admin API information disclosure : A vulnerability in the Keycloak Admin API allows any authenticated user, even without admin privileges, to enumerate other users’ organization memberships if the attacker knows the victim’s UUID and the Organizations feature is enabled. ...

CVE-2026-2366

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim'...

CVE-2026-2366 Keycloak: keycloak: information disclosure via authorization bypass in admin api

A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim'...

Vulnerabilities fixed in Fortinet FortiWeb

Fortinet has fixed vulnerabilities in FortiWeb Versions 7.0 to 8.0.1. The vulnerabilities include an ability for remote unauthenticated attackers to bypass hostname restrictions, an OS command injection vulnerability within the FortiWeb API, and the ability to bypass authentication rate-limits...

CVE-2025-15473

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type...

Command Injection

Overview openakita is a 全能自进化AI Agent - 基于Ralph Wiggum模式，永不放弃 Affected versions of this package are vulnerable to Command Injection via the run function in the Chat API Endpoint component when processing the Message argument. An attacker can execute arbitrary operating system commands by supplyin...

CVE-2026-3965

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The...

PT-2026-25039

Name of the Vulnerable Software and Affected Versions Asseco SEE Live 2.0 Description A local file inclusion issue exists in the Contact Plan, E-Mail, SMS, and Fax components. Remote authenticated users can access files on the host system through the path parameter in the downloadAttachment and...

Backstage 信息泄露漏洞

Backstage is an open-source application developed by Backstage. It serves as an open platform for building developer portals. Versions of Backstage prior to 3.1.5 contained a vulnerability related to information leakage. This vulnerability occurred because verified users with permission to conduc...

LXD 安全漏洞

LXD is a Canonical open-source container-based system for managing applications on Linux systems. Security vulnerabilities exist in LXD versions 4.12 to 6.6, which stem from improper cleaning of the compressionalgorithm parameter. This vulnerability could allow authenticated non-privileged users ...

Postal 跨站脚本漏洞

Postal is a complete and fully functional email server developed by Postal OpenSource. It is used for websites and web servers. Versions of Postal prior to 3.3.5 contained a cross-site scripting vulnerability. This vulnerability stemmed from the send/raw method in the API, which allowed unescaped...

PT-2026-25085

Summary The telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append method documented as "trusted SQL". There is no allowlist, no parameterized...

PT-2026-25077

Anchore Enterprise versions before 5.25.1 contain an SQL injection vulnerability in the GraphQL Reports API. An authenticated attacker that is able to access the GraphQL API could execute arbitrary SQL instructions resulting in modifications to the data contained in the Anchore Enterprise databas...

CVE-2026-3965 whyour qinglong API express.ts protection mechanism

A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The...

CVE-2026-3965

CVE-2026-3965 affects whyour qinglong up to 2.20.1, with the vulnerability located in the back/loaders/express.ts API Interface. The issue arises from manipulation of the command argument, causing protection mechanism failure and enabling remote access. Public exploit information exists, and ther...

CVE-2026-3964

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The...

CVE-2026-3964 OpenAkita Chat API Endpoint shell.py run os command injection

A weakness has been identified in OpenAkita up to 1.24.3. This impacts the function run of the file src/openakita/tools/shell.py of the component Chat API Endpoint. Executing a manipulation of the argument Message can lead to os command injection. The attack is restricted to local execution. The...