Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Summary The SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a...

EUVD-2026-28400

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

EUVD-2026-26081

The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials...

CVE-2026-41266 Flowise: Sensitive Data Leak in public-chatbotConfig

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, /api/v1/public-chatbotConfig/:id ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just...

GHSA-3J3Q-WP9X-585P kcp's cache server is accessible without authentication or authorization checks

Summary The cache server is directly exposed by the root shard and has no authentication or authorization in place. This allows anyone who can access the root shard to read and write to the cache server. Details The cache server is routed in the pre-mux chain in the shard code. The...

CVE-2026-23767

ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinations of network communication, and transmits commands without encryption or integrity protection...

PT-2022-3089 · Motorola · Motorola Moscad +1

Name of the Vulnerable Software and Affected Versions: Motorola MOSCAD and ACE line of RTUs through 2022-05-02 Description: The issue concerns the omission of an authentication requirement in the Motorola MOSCAD and ACE line of RTUs. These devices feature IP Gateway modules that allow for...

PT-2022-10288 · Atune · Atune

Name of the Vulnerable Software and Affected Versions: atune versions prior to 0.3-0.8 Description: The issue allows an attacker to escalate local privileges or modify any file by accessing the local atune URL interface. This can be achieved by logging in as a local user and running a curl comman...

CVE-2020-17473

Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.020190723 allows an attacker to obtain a long-lasting token by impersonating the server...