CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

CVE-2026-42155

Summary of CVE-2026-42155 (Magento OpenMage LTS): The issue affects OpenMage/magento-lts OpenMage LTS releases via the legacy API session ID generation in Mage_Api_Model_Session::start(), where the session ID is md5(time() . uniqid('', true) . (possibly null sessionName)). This yields very low en...

CVE-2026-2031

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to...

CVE-2026-46383 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

EUVD-2026-30552

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to...

CVE-2026-2031

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to...

CVE-2026-2031

The CVE-2026-2031 entry describes an improper access control vulnerability in several internal API endpoints of Google Cloud Application Integration (prior to 2026-01-23). An unauthenticated remote attacker can disclose sensitive internal information and execute arbitrary code by sending speciall...

CVE-2026-2031 Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution.

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary code using specially crafted HTTP requests to...

Malicious Package

Overview microsoft-applicationinsights-common is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization a...

PT-2026-41283

Permission control vulnerability in the app management and control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...

SAP NetWeaver AS ABAP Code Injection (3735359)

The version of SAP NetWeaver AS ABAP detected on the remote host is affected by a code injection vulnerability as referenced in SAP Security Note 3735359: - A code injection vulnerability exists in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform. An authenticated attacker with low...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from API keys sent via the x-api-key header, allowing bypass of endpoint restrictions and...

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from the ability for users to continue a conversation with another user through...

PT-2026-41369

phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craft URLs with unescaped quotes to inject event handlers, stealing admin session cookies and achieving...

MalwarePT: A Binary-Level Foundation Model for Malware Analysis

Automated malware analysis increasingly relies on machine learning, yet most existing methods remain task-specific and depend on handcrafted features or narrowly scoped models. Recent developments in binary-level foundation models suggest a path toward reusable program representations, but their...

PT-2026-41309

Name of the Vulnerable Software and Affected Versions Google Cloud Application Integration versions prior to 2026-01-23 Description Improper Access Control in several internal API endpoints allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitrary...

Google Cloud Application Integration 安全漏洞

Google Cloud Application Integration is a cloud-based integration platform offered by Google Inc., which supports cross-applicational connections, process orchestration, and API integration. Versions of Google Cloud Application Integration prior to version 2026-01-23 contained security...

SAP NetWeaver AS ABAP Reflected XSS (3728690)

The version of SAP NetWeaver AS ABAP detected on the remote host is affected by a reflected cross-site scripting XSS vulnerability as referenced in SAP Security Note 3728690: - A reflected cross-site scripting XSS vulnerability exists in SAP NetWeaver Application Server ABAP Applications based on...

CVE-2026-6811 PHP Stack Exhaustion

Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server...

Open WebUI's API key endpoint restrictions bypassed via `x-api-key` header — full message processing on restricted endpoints

Summary Open WebUI allows admins to restrict which API endpoints an API key can access. When an API key is restricted from /api/v1/messages, requests using the Authorization: Bearer sk-... header are correctly blocked with 403. However, the same key sent via the x-api-key header bypasses the...