CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or a...

CVE-2026-33681 AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName without any path traversal sanitization. This allows an authenticated admin or a...

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack via the TOTP authentication process. An attacker can bypass authentication controls by reusing a valid TOTP code within its validity window. Remediation Upgrade github.com/go-vikunja/vikunja/pkg/user to version 2.2.1 or...

Replay Attack

Overview Affected versions of this package are vulnerable to Replay Attack via the TOTP authentication process. An attacker can bypass authentication controls by reusing a valid TOTP code within its validity window. Remediation Upgrade code.vikunja.io/api/pkg/user to version 2.2.1 or higher...

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication due to cache key confusion. An attacker can gain unauthorized access by using a token to prime the cache, and subsequently use the same token for rules that use a different introspection server. Note: This is onl...

GO-2026-4792 Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration in github.com/traefik/traefik

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration in github.com/traefik/traefik...

GO-2026-4769 Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju

Juju affected by timing ownership claim attack on new external back-end secrets in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions...

CVE-2026-4593

CVE-2026-4593 describes a SQL injection in the EruptDataQuery function (erupt-ai/src/main/java/xyz/erupt/ai/call/impl/EruptDataQuery.java) within the MCP Tool Interface of erupts erupt bis 1.13.3. The issue arises from a manipulation that enables remote exploitation via a crafted input, with the ...

Introducing the Wiz Red Agent- AI-Powered Attacker

Red Agent is an AI-powered, context-aware attacker that uncovers complex exploitable risks across your entire attack surface, continuously and at scale...

TGT2Admin-

🎭 RBCDExploit - Resource-Based Constrained Delegation Attack...

CVE-2026-4592

A security vulnerability has been detected in kalcaddle kodbox 1.64. This impacts the function loginAfter/tfaVerify of the file /workspace/source-code/plugins/client/controller/tfa/index.class.php of the component Password Login. The manipulation leads to improper authentication. The attack is...

Case study: How predictive shielding in Defender stopped GPO-based ransomware before it started

In this article 1. The growing threat: GPO abuse in ransomware operations 2. The incident 3. The results 4. The hardening dilemma: Why threat actors love operational mechanisms 5. Predictive shielding: Contextual, just-in-time hardening 6. Closing the gap 7. References Summary Microsoft Defender...

CVE-2026-4592

CVE-2026-4592 affects kalcaddle kodbox 1.64. The vulnerability resides in the loginAfter/tfaVerify path of /workspace/source-code/plugins/client/controller/tfa/index.class.php within the Password Login component, enabling improper authentication. It is reported as remotely exploitable with high a...

CVE-2026-33483 AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data...

CVE-2026-33479

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSR...

CVE-2026-33479 AVideo has PHP Code Injection via eval() in Gallery saveSort.json.php Exploitable Through CSRF Against Admin

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Gallery plugin's saveSort.json.php endpoint passes unsanitized user input from $REQUEST'sections' array values directly into PHP's eval function. While the endpoint is gated behind User::isAdmin, it has no CSR...

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation

Summary A security vulnerability in Python affects IBM Robotic Process Automation. Python is used by IBM Robotic Process Automation as part of its deployment. This bulletin identifies the fixes required to resolve the vulnerabilities. Vulnerability Details CVEID:CVE-2025-68146 DESCRIPTION: filelo...

CVE-2019-25625

CVE-2019-25625 affects Blob Studio 2.17. The vulnerability is a denial of service caused by reading malformed input through the key-entry mechanism, where a crafted text file with a large buffer of repeated characters can cause the application to crash or become unresponsive. Impact described as ...

CVE-2019-25625 Blob Studio 2.17 Denial of Service via Malformed Input

Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application to read it, causin...