CVE-2026-42789

Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP publickey pubkeycert module allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/publickey/src/pubkeycert.erl, pubkeycert:validateextensions/7 contains two...

EEF-CVE-2026-42789 Non-CA certificate accepted as intermediate issuer in public_key path validation

Summary Improper Following of a Certificate's Chain of Trust vulnerability in Erlang OTP publickey pubkeycert module allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. In lib/publickey/src/pubkeycert.erl, pubkeycert:validateextensions/7...

CVE-2026-42789

The CVE-2026-42789 entry documents a vulnerability in Erlang OTP public_key (pubkey_cert module): a certificate with basicConstraints cA:false and no keyUsage can be misused as an intermediate issuer during pkix_path_validation, enabling chain forgery. Two flaws in pubkey_cert:validate_extensions...

PT-2026-44063

Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.39.0 Description Insufficient permission checks on the single-datasource 'GET' and 'PUT' routes allow users with the Basic app user role to access and modify REST datasource configurations. Because these routes are...

Botan 安全漏洞

Botan is a C++ encryption library developed by Jack Lloyd as an individual project. Versions of Botan prior to 3.12.0 contained security vulnerabilities. These vulnerabilities were caused byBER data, which led to reassembly behavior by the parser, potentially resulting in denial-of-service attack...

Malicious code in auth-basic-vault (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3227380d9ef91ce63237acc9656b88a50b29aeeb05c594b700c5936a7527543 On require'auth-basic-vault', lib/writer.js attempts to require'authcascade' at module top level and, on failure, shells out via execSync to npm...

MAL-2026-4488 Malicious code in auth-basic-vault (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3227380d9ef91ce63237acc9656b88a50b29aeeb05c594b700c5936a7527543 On require'auth-basic-vault', lib/writer.js attempts to require'authcascade' at module top level and, on failure, shells out via execSync to npm...

EUVD-2026-31549

A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function EditBasicSSID5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The...

ClipBucket-EDB-44250

ClipBucket-EDB-44250 Unauthenticated Remote Code Execution in...

CVE-2026-9371

A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's complexity is rated as...

CVE-2026-9371

A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's complexity is rated as...

CVE-2026-2734

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

EUVD-2026-31210

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

PT-2026-42395

Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions prior to 3.10.0 Description When basic authentication is enabled, the 'SearchModelVersions' REST API endpoint and the 'mlflowSearchModelVersions' GraphQL query lack proper per-model authorization checks. This allows any...

PT-2026-41974

Name of the Vulnerable Software and Affected Versions @haxtheweb/open-apis versions 9.0.1 through 25.x Description Multiple functions perform substring-only matching to validate hostnames for basic authorization. This allows an attacker to append matched substrings to an attacker-controlled...

@antv/gi-assets-xlab (>=0.1.0 <=0.1.30) potentially affected by unknown CVE via @antv/gi-assets-basic (=2.4.40)

@antv/gi-assets-basic NPM version =2.4.40 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/gi-assets-basic and may be impacted: - @antv/gi-assets-xlab =0.1.0, =0.1.30 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVGIASSETSBASIC-16754358...

Arcane Backend: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs

Summary Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /api/git-repositories/sync for managing GitOps source repositories and their stored credentials. Eight of those endpoints list, create, get, update, delete, test, listBranches, browseFiles never...

Authentication Bypass by Primary Weakness

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the...

Authentication Bypass by Primary Weakness

Overview Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the findfastapivalidator function. An attacker can gain unauthorized access to sensitive API endpoints by sending requests to non-/gateway/ paths when the server is started with authenticati...

MLflow: unauthenticated access to certain FastAPI routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...