PT-2026-25549

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA2. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of...

PT-2026-25544

Name of the Vulnerable Software and Affected Versions Totolink A7100RU version 7.4cu.2313 b20191024 Description A weakness exists in the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi. Manipulation of the mode argument can lead to operating system command injection. This attack can be...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: pcs (UTSA-2026-006185)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006185 advisory. Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form- data parser encounters certain errors, it logs a warning but...

CVE-2026-4163

A vulnerability was detected in Wavlink WL-WN579A3 220323. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The exploit...

Exploit for CVE-2026-31802

CVE-2026-31802: tar Symlink Path Traversal / Arbitrary File Ov...

Malicious Package

Overview @iflow-mcp/watercrawl-watercrawl-mcp is a malicious package. This package was affected by the 'GlassWorm' supply chain attack. It includes a hidden malicious payload embedded with invisible Unicode characters. These characters hide a decoder that retrieves and executes a concealed payloa...

Malicious Package

Overview @aifabrix/miso-client is a malicious package. This package was affected by the 'GlassWorm' supply chain attack. It includes a hidden malicious payload embedded with invisible Unicode characters. These characters hide a decoder that retrieves and executes a concealed payload through eval...

Wa3r-OffSec-Kit

Waer's Cybersecurity Knowledge Base 50+ documents · 2...

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a "significant escalation" in how it propagates through the Open VSX registry. "Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing...

Experimental Evaluation of Security Attacks on Self-Driving Car Platforms

Deep learning-based perception pipelines in autonomous ground vehicles are vulnerable to both adversarial manipulation and network-layer disruption. We present a systematic, on-hardware experimental evaluation of five attack classes: FGSM, PGD, man-in-the-middle MitM, denial-of-service DoS, and...

SUSE SLED15 / SLES15 Security Update : dnsdist (SUSE-SU-2026:0888-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0888-1 advisory. Update to dnsdist 1.9.11: - CVE-2025-8671: Add mitigations for the HTTP/2 MadeYouReset attack bsc1253852. -...

CVE-2026-32729 Runtipi has a TOTP two-factor authentication bypass via unrestricted brute-force on `/api/auth/verify-totp`

Runtipi is a personal homeserver orchestrator. Prior to 4.8.1, The Runtipi /api/auth/verify-totp endpoint does not enforce any rate limiting, attempt counting, or account lockout mechanism. An attacker who has obtained a user's valid credentials via phishing, credential stuffing, or data breach c...

EUVD-2025-208665

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...

CVE-2026-32706

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsfrc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsfrc is enabled on a CRSF serial port, an...

CVE-2026-32616

Pigeon is a message board/notepad/social system/blog. Prior to 1.0.201, the application uses $SERVER'HTTPHOST' without validation to construct email verification URLs in the register and resendmail flows. An attacker can manipulate the Host header in the HTTP request, causing the verification lin...

CVE-2026-32702

Cleanuparr (the tool for cleaning blocked files in Sonarr/Radarr and clients like qBittorrent) contains a timing-based username enumeration flaw in the /api/auth/login endpoint from versions 2.7.0–2.8.0. The vulnerability arises because the password hash computation in VerifyPassword executes onl...

CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by...

CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by...

CVE-2026-32702

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by...

CVE-2026-32702 Cleanuparr has Username Enumeration via Timing Attack

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. From 2.7.0 to 2.8.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by...