EUVD-2026-38428

Capgo before 12.128.2 contains an authorization bypass vulnerability in its public API key management handlers get/put/delete/post. API keys created with mode=all but restricted to a single app via limitedtoapps are only checked for limitedtoorgs and not for limitedtoapps, so an app-scoped key ca...

CVE-2026-44546

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

CVE-2026-44546 Header injection via WebSocket upgrade parser differential allows ASGI scope header spoofing

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or \x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

PT-2026-45941

daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat x0b, x0c, x1c, x1d, x1e, or x85 as header line separators, but autobahn decodes header values to str and calls splitlines. An...

CVE-2026-1322

Removed by vendor...

EUVD-2025-25440

Malicious code in bioql PyPI...

Code injection

An issue was discovered in phpFox before 4.8.14. The url request parameter passed to the /core/redirect route is not properly sanitized before being used in a call to the unserialize PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the...

phpFox 4.8.13 PHP Object Injection

-------------------------------------------------------------- phpFox = 4.8.13 redirect PHP Object Injection Vulnerability -------------------------------------------------------------- - Software Link: https://www.phpfox.com - Affected Versions: Version 4.8.13 and prior versions. - Vulnerability...

CVE-2021-36766

Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/singlepage/dashboard/system/environment/logging.php Logging::updatelogging method. User input passed through the logFile request parameter is not properly sanitized before being used in a ca...

SuiteCRM 7.11.11 Second-Order PHP Object Injection

--------------------------------------------------------------------- SuiteCRM = 7.11.11 Second-Order PHP Object Injection Vulnerabilities --------------------------------------------------------------------- - Software Link: https://suitecrm.com/ - Affected Versions: Version 7.11.11 and prior...

Exploring VBO365 backups: Understanding Different Restore Scopes

Challenge You can explore backups in three different scopes: Backup Job , Organization , All organizations. Consider the following organizations added to the Veeam Backup for Microsoft 365 backup infrastructure; each of these organizations uses its own backup repository to store data: Organizatio...

Kaspersky: Unauthorized command execution in Web protection component of Anti-Virus products family

Summary When no browser extension is installed, arbitrary webpages can take control of the Kaspersky command interface and disable parts of the functionality for example. Description Without a browser extension e.g. because extension installation not confirmed by user, unsupported like in MS Edge...

CubeCart 5.2.0 (cubecart.class.php) PHP Object Injection Vulnerability

No description provided by source. ------------------------------------------------------------------------- CubeCart = 5.2.0 cubecart.class.php PHP Object Injection Vulnerability ------------------------------------------------------------------------- - Software Link: http://www.cubecart.com/ -...