Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Vulnerabilities exist in versions of Mattermost 11.6.0 and earlier 11.6.x series, as well as versions prior to 11.5.3 11.5.x series, 11.4.4 and earlier 11.4.x series, and 10.11.14 and earlier 10.11.x...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

Typebot 安全漏洞

Typebot is an open-source chat bot builder developed by Baptiste Arnaud. Versions of Typebot 3.16.0 and earlier contained a security vulnerability. This vulnerability stemmed from the WhatsApp Cloud API webhook endpoint not verifying the x-hub-signature-256 HMAC signature, allowing unauthenticate...

Unity Linux 20.1070e Security Update: hibernate (UTSA-2026-016690)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016690 advisory. A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit...

Linux Distros Unpatched Vulnerability : CVE-2026-28376

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to...

PT-2026-42785

Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through...

PT-2026-42790

Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : Devolutions Server 2026.1.6.0 through 2026.1.16.0 Devolutions Server 2025.3.20.0 and...

Incorrect Authorization

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Authorization via the allowedroutes field during API key generation. An attacker can gain unauthorized access to restricted routes by specifying routes outside...

MAL-2026-4755 Malicious code in mathepy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 268eeb8db2d704a5b34b2007a25477fdd9f2de3525462f3dd78192aa5d2f95a1 Package metadata advertises mathepy as a 'Module for Quick Calculations', but the package's importable init.py exposes 13 top-level functions askllm,...

MAL-2026-4749 Malicious code in fakehuop (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 677eed2b8b2630ec8e88b29d7ae3d9d49fc0d0c18230cc51b24d8102cdb151ee Every advertised function in this package askllm, pink, america, iran, momo, abc, bcd, code, sf, liti, koko, init, dropnull, hellp, lc instantiates a...

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 suspended, banned, terminated employee can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score o...

CVE-2026-7887

Summary: CVE-2026-7887 affects Concrete CMS 9.5.0 and earlier. The OAuth 2.0 Authorization-Code Handler does not enforce account status, allowing a user with uIsActive=0 (suspended/banned/terminated) to authenticate and obtain API tokens. What’s affected: Concrete CMS versions prior to 9.5.1 (per...

CVE-2026-47101

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

Imperva Customers Protected Against CVE-2026-9082 in Drupal Core

TL;DR:CVE-2026-9082 is a highly critical SQL injection vulnerability in Drupal core that can be exploited by unauthenticated users against Drupal sites using PostgreSQL. The vulnerability affects Drupal’s database abstraction API and can allow specially crafted requests to trigger arbitrary SQL...

GHSA-F76X-F9VJ-92JV NocoDB: Stale Auth Cache After API Token Deletion

Summary Deleted API tokens continued to authenticate requests until their cache entry expired, because the auth cache was not invalidated by token value at deletion time. Details The API token deletion path removed the database row but did not evict the token-value keyed entry from the auth cache...

CVE-2026-47101

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

CVE-2026-47101

LiteLLM prior to 1.83.14 is affected. An authenticated internal_user can generate API keys where allowed_routes may include admin-only routes, bypassing role-based access controls because the system does not verify that the requested routes fall within the creator’s permissions. This enables priv...

EUVD-2026-31346

LiteLLM prior to 1.83.14 allows an authenticated internaluser to create API keys with access to routes that their role does not permit. When generating a key, the allowedroutes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

CVE-2026-8135

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism fromCIF === true, which normally...