Timing Attack

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Timing Attack via the requireBasicAuth function. An attacker can recover valid authentication credentials by measuring response times and deducin...

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP3 kernel was updated to fix various security issues The following security issues were fixed: CVE-2023-53794: cifs: fix session state check in reconnect to avoid use-after-free issue bsc1255163. CVE-2023-53827: Bluetooth: L2CAP: Fix use-after-free in...

Malicious code in @uc-platform/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d75a6973fdd9ccfacf68c5e22e999a1e58cbac23ab40c5e3a1a751beeca3e35d The package @uc-platform/auth was found to contain malicious code...

MAL-2026-1640 Malicious code in @uc-platform/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d75a6973fdd9ccfacf68c5e22e999a1e58cbac23ab40c5e3a1a751beeca3e35d The package @uc-platform/auth was found to contain malicious code...

cbs-sentry-dingding (=1.0.24), cbs-sentry-qyweixin (=1.0.1) +47 more potentially affected by CVE-2026-26004 via sentry (=20.8.0)

sentry PYPI version =20.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on sentry and may be impacted: - cbs-sentry-dingding =1.0.24 - cbs-sentry-qyweixin =1.0.1 - csnp =0.0.5, =1.0.0, =0.2.4, =1.0.0, =0.1.0, =0.4.0, =0.1.0, =0.2.0 and more Source cve...

Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

GHSA-WJQW-R9X4-J59V Parse Server affected by empty authData bypassing credential requirement on signup

Impact A user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. Patches The fix ensures that empty o...

OPENSUSE-SU-2026:20374-1 Security update for krb5-appl

This update for krb5-appl fixes the following issues: Changes in krb5-appl: - CVE-2026-32746: Remote Pre-Auth Buffer Overflow in GNU Inetutils telnetd LINEMODE bsc1259691...

PT-2026-25999

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.29 and 8.6.49, a user can sign up without providing credentials by sending an empty authData object, bypassing the username and password requirement. This allows the creati...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the WebSocket session handling in kernel/util/websocket.go. An attacker can connect to the /ws endpoint and receive real-time document metadata and activity events by using the special id=auth WebSocket...

USN-8099-1 curl vulnerabilities

Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. CVE-2026-1965 It was...

@studiocms/migrator (>=0.1.0 <=0.2.1), @withstudiocms/auth-kit (>=0.1.0 <=0.1.3) +2 more potentially affected by CVE-2026-32638 via @withstudiocms/effect (>=0.1.0-beta.1 <=0.3.0)

@withstudiocms/effect NPM version =0.1.0-beta.1, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.3.0 Source cves: CVE-2026-32638 Source advisory: SNYK:JS-WITHSTUDIOCMSEFFECT-15682415...

CVE-2026-22545

Mattermost versions 10.11.x = 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID:...

CVE-2026-22545 Password Change Bypass via Auth Switch Endpoint

Mattermost versions 10.11.x = 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID:...

CVE-2026-22545 Password Change Bypass via Auth Switch Endpoint

Mattermost versions 10.11.x = 10.11.10 fail to validate user's authentication method when processing account auth type switch which allows an authenticated attacker to change account password without confirmation via falsely claiming a different auth provider.. Mattermost Advisory ID:...

CVE-2026-4218

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

CVE-2026-3839

Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Unraid. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-4218 myAEDES App aedes.me.beta EngageBayUtils.java information disclosure

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

CVE-2026-4218

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

CVE-2026-4218 myAEDES App aedes.me.beta EngageBayUtils.java information disclosure

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...