CVE-2026-4218 myAEDES App aedes.me.beta EngageBayUtils.java information disclosure

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTHKEY results in information disclosure. The attack is only possible...

PT-2026-25757

Mattermost fails to validate user's authentication method when processing account auth type switch in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

Unraid 路径遍历漏洞

Unraid is a set of operating systems developed by Unraid Corporation, primarily intended for individuals and small businesses. Unraid has a path traversal vulnerability; this issue stems from the lack of validation for the paths provided by users in the auth-request.php file, which may lead to pa...

PT-2026-25615

A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTH KEY results in information disclosure. The attack is only possibl...

CVE-2016-20030 ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction

ZKTeco ZKBioSecurity 3.0 contains a user enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by submitting partial characters via the username parameter. Attackers can send requests to the authLoginAction!login.do script with varying username inputs to...

Malicious code in @3stripes/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 152509a4bd82adf6364c22476faa63746b5ddc6649dd64a7fdf96ff5e67ebc13 The package @3stripes/auth was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-1425 Malicious code in @3stripes/auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 152509a4bd82adf6364c22476faa63746b5ddc6649dd64a7fdf96ff5e67ebc13 The package @3stripes/auth was found to contain malicious code. Source: ossf-package-analysis...

evennia (>=1.0.0 <=6.0.0), fastapi-casbin-auth (>=1.3.0 <=1.5.0) +6 more potentially affected by CVE-2026-32640 via simpleeval (>=1.0.0 <=1.0.4)

simpleeval PYPI version =1.0.0, =1.0.0, =1.3.0, =2.8.0, =3.2.0, =1.0.0, =0.53.6, =0.54.0a10 Source cves: CVE-2026-32640 Source advisory: SNYK:PYTHON-SIMPLEEVAL-15610288...

OpenClaw: Zalo webhook rate limiting could be bypassed before secret validation

Summary The Zalo webhook handler applied request rate limiting only after webhook authentication succeeded. Requests with an invalid secret returned 401 but did not count against the rate limiter, allowing repeated secret guesses without triggering 429. Impact This made brute-force guessing...

CVE-2026-3839

Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Unraid. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-3839 Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability

Unraid Authentication Request Path Traversal Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Unraid. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

xmlseclibs: Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption

Summary XML nodes encrypted with either aes-128-gcm, aes-192-gcm, or aes-256-gcm lack validation of the authentication tag length. An attacker can use this to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also allows to forge arbitrary ciphertexts...

DEBIAN-CVE-2026-23943

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

CVE-2026-23943 Pre-auth SSH DoS via unbounded zlib inflate

Improper Handling of Highly Compressed Data Compression Bomb vulnerability in Erlang OTP ssh sshtransport modules allows Denial of Service via Resource Depletion. The SSH transport layer advertises legacy zlib compression by default and inflates attacker-controlled payloads pre-authentication...

Malicious Package

Overview whatsapp-core-auth-drzak is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in dell-internal-auth-drzak (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbfacc6ee81634bba390c5b27b3d5257f8b0d2148e93978085136c337d158ab6 The package dell-internal-auth-drzak was found to contain malicious code. Source: ghsa-malware...

CVE-2026-32236

Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery SSRF vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD metadata fetch validates the initial clientid...

EUVD-2026-11619

A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldapemail can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level is associated with...

CVE-2026-4045

A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. Executing a manipulation of the argument ldapemail can lead to observable response discrepancy. The attack can be executed remotely. A high complexity level is associated with...

CVE-2026-4045

CVE-2026-4045 affects projectsend up to r1945, specifically an issue in includes/Classes/Auth.php where manipulating the ldap_email argument can cause observable response discrepancy. attack can be executed remotely with high complexity and is reported as a low-severity (CVSS ~3.7) issue, with ex...