@cubejs-backend/server (>=1.1.2 <=1.4.0), @cubejs-backend/server-core (>=1.1.2 <=1.4.0) +2 more potentially affected by CVE-2026-25957 via @cubejs-backend/api-gateway (>=1.1.17 <=1.4.0)

@cubejs-backend/api-gateway NPM version =1.1.17, =1.1.2, =1.1.2, =1.1.2, =1.4.0 - cubejs-backend-server-core-fork =1.1.3 Source cves: CVE-2026-25957 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265448...

Improper Handling of Exceptional Conditions

Overview @cubejs-backend/api-gateway is a package that provides idempotent long polling API. Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the Cube API endpoint. An attacker can cause the server to crash and make the API unavailable by sending ...

CVE-2026-25957

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...

CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...

CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...

CVE-2026-25957

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...

CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has...

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...

CVE-2026-25806

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...

keycloak: Incorrect ownership checks in /uma-policy/

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...

CVE-2026-25497

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2025-14778

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...

CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...

CVE-2026-25528

CVE-2026-25528 affects LangSmith Client SDKs with distributed tracing. The baggage header in HTTP requests could inject replica configurations (api_url/api_key), causing the SDK to send trace data to attacker-controlled endpoints via post()/patch() after a traced operation. Root cause: RunTree.fr...

CVE-2026-25497

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2026-25497 Craft has a GraphQL Asset Mutation Privilege Escalation

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...

CVE-2025-14778

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...

TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure

Cybersecurity researchers have called attention to a "massive campaign" that has systematically targeted cloud native environments to set up malicious infrastructure for follow-on exploitation. The activity, observed around December 25, 2025, and described as "worm-driven," leveraged exposed Dock...

WordPress MStore API <= 4.0.1 - Unauthenticated SQL Injection

MStore API plugin for WordPress up to version 4.0.1 contains an unauthenticated blind SQL injection caused by insufficient escaping of 'id' parameter in SQL queries, letting attackers execute arbitrary SQL commands without authentication, exploit requires sending crafted requests with malicious...