New ClickFix attack Hides in Native Windows Tools to Reduce Detection Risk

Fake CAPTCHA ClickFix attack tricks users into running malicious commands, using cmdkey and regsvr32 to maintain persistence and avoid detection on Windows...

CVE-2026-6966 Signature Threshold Bypass in awslabs/tough Delegated Roles

Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold requirement by duplicating a valid signature, causing the client to accept forged delegated role...

EUVD-2026-25610

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...

CVE-2026-41244

Affected software: Mojic CLI tool. Issue: CipherEngine uses a standard equality operator (!==) to verify the HMAC-SHA256 integrity seal during decryption, causing an observable timing discrepancy (CWE-208). Impact: potential attacker could bypass the file integrity check via a timing attack. Stat...

CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...

CVE-2026-41244

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...

CVE-2026-41244 Mojic: Observable Timing Discrepancy in HMAC Verification

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...

CVE-2026-41316

A flaw was found in ERB, a templating system for Ruby. An attacker who can trigger deserialization of untrusted data in a Ruby application can bypass existing protections. This vulnerability allows for arbitrary code execution by exploiting specific public methods that evaluate template source...

CVE-2026-4313

AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request. Improper parameter validation by the server results in arbitrary JavaScript execution in the victim's browser. Critically, this...

Timing Attack

Bouncy Castle is vulnerable to Timing Attack. The vulnerability is due to timing discrepancies in cryptographic operations within the FrodoEngine component, which allows an attacker to infer sensitive information through timing analysis...

Exploit for Use of Less Trusted Source in Meshtastic Meshtastic_Firmware

Stopping Meshtastic from-field spoof attacks — shape-detecti...

EUVD-2026-25386

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS.press.api.account.createapisecret is prone to CSRF-like exploits. This endpoint writes to database and it is also accessible via GET method. The patch in commit...

GHSA-7HRG-5W46-5R2X Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qm77-8qjp-4vcm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages ...

PT-2026-35067

Name of the Vulnerable Software and Affected Versions Mojic versions prior to 2.1.4 Description The CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy, which is a situation where th...

Joern 4.0.527

Joern is the bug hunter's workbench. With this tool, you can uncover attack surface, sloppy coding practices, and variants of known vulnerabilities using an interactive code analysis shell. Joern supports C, C++, LLVM bitcode, x86 binaries via Ghidra, JVM bytecode via Soot, and Javascript...

PT-2026-35643

Name of the Vulnerable Software and Affected Versions LiteLLM versions 1.81.16 through 1.83.6 Description An unauthenticated SQL injection exists in the proxy API key verification process. The issue occurs because a database query mixed caller-supplied key values directly into the query text...

PT-2026-35050

Name of the Vulnerable Software and Affected Versions Axios versions prior to 1.15.1 Axios versions prior to 0.31.1 Description The library is susceptible to a Prototype Pollution Gadget attack. This occurs because the validateStatus configuration property utilizes the mergeDirectKeys merge...

CVE-2026-30368

A client-side authorization flaw in Lightspeed Classroom v5.1.2.1763770643 allows unauthenticated attackers to impersonate users by bypassing integrity checks and abusing client-generated authorization tokens, leading to unauthorized control and monitoring of student devices...

EUVD-2026-25423

An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to cause a denial of service via the Client Balance component...

D-Link DWM-222W USB Wi-Fi Adapter 安全漏洞

The D-Link DWM-222W USB Wi-Fi Adapter is a USB wireless modem from D-Link Corporation. It supports 4G LTE network connections. There is a security vulnerability in the D-Link DWM-222W USB Wi-Fi Adapter. This vulnerability stems from a bypass of brute-force password protection, allowing...