ZKTeco BioTime <= 9.0.1 - Privilege Escalation

BioTime default employee credentials password 123456 allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files. id: CVE-2023-38952 info: name: ZKTeco BioTime = 9.0.1 - Privilege Escalation author: riteshs4hu severity: high...

CVE-2026-43634

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

The Governance Gap: How the EU AI Act Makes API Security a Compliance Imperative

Your legal team just handed you a 400-page document and said "figure out compliance." The EU AI Act is live, your organization falls under its scope, which is broader than many expect. Even non‑EU companies must comply if their AI systems are used, deployed, or produce effects within the European...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the cloudstore.file.upload action. An attacker can write arbitrary files to the filesystem and potentially execute code by supplying crafted filenames that exploit path traversal and zip slip vulnerabilities...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the cloudstore.file.upload action. An attacker can write arbitrary files to the filesystem and potentially execute code by supplying crafted filenames that exploit path traversal and zip slip vulnerabilities...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the cloudstore.file.upload action. An attacker can write arbitrary files to the filesystem and potentially execute code by supplying crafted filenames that exploit path traversal and zip slip vulnerabilities...

CVE-2026-32029

OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header...

Identity Prioritization isn't a Backlog Problem - It's a Risk Math Problem

Most identity programs still prioritize work the way they prioritize IT tickets: by volume, loudness, or “what failed a control check.” That approach breaks the moment your environment stops being mostly-human and mostly-onboarded. In modern enterprises, identity risk is created by a compound of...

EUVD-2018-0942

Malware in sbrugna...

EUVD-2019-10217

Malware in sbrugna...

EUVD-2019-10219

Malware in sbrugna...

EUVD-2006-0729

Malware in sbrugna...

EUVD-2023-44947

Malicious code in bioql PyPI...

EUVD-2021-7996

Malicious code in bioql PyPI...

EUVD-2023-50881

Malicious code in bioql PyPI...

EUVD-2025-16047

Malicious code in bioql PyPI...

EUVD-2024-35893

Malicious code in bioql PyPI...

EUVD-2025-22739

Malicious code in bioql PyPI...

Mars: Publicly accessible `█████████` endpoint exposing internal user identifiers and email addresses

A publicly accessible JSON API endpoint was found to expose sensitive user information, including internal identifiers and email addresses. The vulnerability was classified as an information disclosure issue with a medium severity rating. The problem was remediated by implementing proper...

PT-2025-30921 · Iroad · Iroad Dash Cam Fx2

Name of the Vulnerable Software and Affected Versions: IROAD Dashcam FX2 affected versions not specified Description: The IROAD Dashcam FX2 lacks authentication controls on its HTTP and RTSP interfaces, potentially allowing attackers to retrieve sensitive files and video recordings, and view live...