64 matches found
EUVD-2026-43636
Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 Web Console and org.eclipse.kura.rest.provider REST API components use this header as the primary IP sour...
CVE-2026-9561
Eclipse Kura versions prior to 5.6.2 trust the client-supplied X-Forwarded-For HTTP header as the authoritative source of the client IP address in audit log entries. The org.eclipse.kura.web2 Web Console and org.eclipse.kura.rest.provider REST API components use this header as the primary IP sour...
CVE-2026-57942 LibreTranslate - IP Spoofing via X-Forwarded-For Header
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the getremoteaddress function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attacker...
CVE-2026-10552 Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...
CVE-2026-47203
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth i.e via the Authorization header with the Basic scheme on t...
CVE-2026-31019
In the Website module of Dolibarr ERP & CRM 22.0.4 and below, the application uses blacklist-based filtering to restrict dangerous PHP functions related to system command execution. An authenticated user with permission to edit PHP content can bypass this filtering, resulting in full remote code...
CVE-2026-48692
A flaw was found in FastNetMon Community Edition. The gRPC API server, exposed on port 50052, operates without any authentication mechanism. A remote attacker with local network access can exploit this vulnerability to ban arbitrary IP addresses, resulting in a denial of service for legitimate...
CVE-2026-48692
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...
CVE-2026-48692
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...
CVE-2026-48692
FastNetMon Community Edition through 1.2.9 exposes a gRPC API server on port 50052 with no authentication mechanism. The server is initialized with grpc::InsecureServerCredentials src/fastnetmon.cpp line 477 and a source code comment explicitly acknowledges 'Listen on the given address without an...
Blocking children from social media is a badly executed good idea
While we can probably all agree that there is more than enough proof that social media is bad for the mental health of our children, the methods we are trying to block or ban them seem to do more harm than good. Across the world, lawmakers are tripping over each other to be seen “doing something”...
CVE-2026-34362 AVideo's WebSocket Token Never Expires Due to Commented-Out Timeout Validation in verifyTokenSocket()
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the verifyTokenSocket function in plugin/YPTSocket/functions.php has its token timeout validation commented out, causing WebSocket tokens to never expire despite being generated with a 12-hour timeout. This allows...
Calibre 访问控制错误漏洞
Calibre is an open-source, free tool developed by Kovid Goyal, a personal developer from India. It serves as a comprehensive e-book reading management and format conversion tool. Versions of Calibre prior to 9.4.0 contained a access control error vulnerability. This vulnerability stemmed from a...
Regulators around the world are scrutinizing Grok over sexual deepfakes
Grok’s failure to block sexualized images of minors has turned a single “isolated lapse” into a global regulatory stress test for xAI’s ambitions. The response from lawmakers and regulators suggests this will not be solved with a quick apology and a hotfix. Last week we reported on Grok's apology...
EUVD-2022-45067
Malicious code in bioql PyPI...
U.S. House Bans WhatsApp on Official Devices Over Security and Data Protection Issues
The U.S. House of Representatives has formally banned congressional staff members from using WhatsApp on government-issued devices, citing security concerns. The development was first reported by Axios. The decision, according to the House Chief Administrative Officer CAO, was motivated by worrie...
CVE-2022-41961
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered...
Malicious code in client-req-bans (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e7b540646327a4a8326c496059737e3bb81af664a3c51951c1a4caeb0e265496 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
SourceBans++ 安全漏洞
SourceBans++ is a global administration, banning and communication management system for the Source engine by the SourceBans++ Dev team. A security vulnerability exists in SourceBans++ versions prior to v.1.8.0. A remote attacker can exploit this vulnerability to obtain sensitive information via ...
MAL-2024-10278 Malicious code in req-bans (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 891a9d8d6df58ad3743a6ec2db7217d78ec1fe0a3d8bb938181ec4ac26ee5489 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...