167 matches found
PT-2026-52066
Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.10 Description Missing path sanitization during playback allows the use of a specially crafted MKV file with forged filename tags to redirect attachment extraction to any absolute path on the disk. This occurs...
GHSA-J93G-RP6M-J32M Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...
Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS
Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/ via app.Usepprof.New in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any...
MAL-2026-5331 Malicious code in bittensor-burn (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99f546bfd362dae8aed49775bf13961c3540c29ef6fa54f484bf57e978d775be The package markets itself as a Bittensor burn-rate monitor but ships a compiled native module bittensorburnwatch/core.cpython-.so that reads the...
Malicious code in bittensor-burn (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 99f546bfd362dae8aed49775bf13961c3540c29ef6fa54f484bf57e978d775be The package markets itself as a Bittensor burn-rate monitor but ships a compiled native module bittensorburnwatch/core.cpython-.so that reads the...
Malicious code in bittensor-burn-alert (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06e89dc9ff0a5d334b67a01c572c036b0740adf6d8669d2fa25c241a0c098116 The package advertises itself as a Bittensor subnet burn-rate monitor but bundles a covert clipboard surveillance daemon in its compiled core module...
MAL-2026-5312 Malicious code in bt-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 94719a61950dd5cacc26b288c1fe8ef0d12f0e93720b4f1aa98cdf84ff148f0d Package advertises Bittensor subnet burn-rate monitoring but the compiled core module's own docstring describes itself as a 'clipboard logger +...
MAL-2026-5311 Malicious code in bittensor-burn-monitor (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9d4b7067997b5bc9822e964b16a3b4e78b5ec637086732d143889e577fa2d886 bittensor-burn-monitor advertises itself as a Bittensor subnet burn-rate monitor but ships a covert clipboard logger that exfiltrates installers'...
Malicious code in bittensor-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16180f1609731d35398f11dbfcb328826d2e39a7acf42fc256b563512645e6e5 Package advertises itself as a Bittensor subnet burn-rate monitor but bundles a live TELEGRAMBOTTOKEN and TELEGRAMCHATID in...
MAL-2026-5292 Malicious code in bittensor-burn-watch (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16180f1609731d35398f11dbfcb328826d2e39a7acf42fc256b563512645e6e5 Package advertises itself as a Bittensor subnet burn-rate monitor but bundles a live TELEGRAMBOTTOKEN and TELEGRAMCHATID in...
CVE-2026-6339
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
CALIBURN: A Regime-Sensitivity Study of Operationally Calibrated Streaming Intrusion Detection
Streaming network intrusion detection systems must process flows continuously while keeping memory bounded, but most current methods leave alerting threshold selection as a post-hoc tuning problem poorly suited to production. Operators need alerting behaviour specifiable before deployment using...
Mattermost Server 11.4.x <= 11.4.3 / 11.5.x <= 11.5.1 Origin Validation Error (MMSA-2026-00636)
The version of Mattermost Server installed on the remote host is affected by a vulnerability as referenced in the MMSA-2026-00636 advisory. - Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an...
Origin Validation Error
Overview Affected versions of this package are vulnerable to Origin Validation Error via the burn-on-read reveal endpoint due to missing validation of the X-Requested-With header. An attacker can force the unauthorized reveal of a burn-on-read message without recipient consent by sending a crafte...
GHSA-XVCX-MGPC-5XH3 Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
Mattermost doesn't validate the X-Requested-With header on the burn-on-read reveal endpoint
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
CVE-2026-6339
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
EUVD-2026-30749
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
CVE-2026-6339
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...
CVE-2026-6339 Missing request origin validation on burn-on-read reveal endpoint
Mattermost versions 11.5.x = 11.5.1, 11.4.x = 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost...