PT-2026-26471

Summary The deleteDump parameter in plugin/CloneSite/cloneServer.json.php is passed directly to unlink without any path sanitization. An attacker with valid clone credentials can use path traversal sequences e.g., ../../ to delete arbitrary files on the server, including critical application file...

PT-2026-26490

Name of the Vulnerable Software and Affected Versions Soft Serve versions prior to 0.11.6 Description An authorization flaw exists in the repo import functionality, allowing any authenticated SSH user to clone server-local Git repositories, including private repositories belonging to other users,...

CVE-2026-32878

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...

CVE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...

CVE-2026-32878 Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that...

MAL-2026-1577 Malicious code in ropie (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5a7814d65bb3b0e5187be5d4ae9b0a11b4030ea5d911fdef3f5e614b6c15e95d Installation embeds a malicious PTH file that then during import downloads and executes remote code. During analysis, the remote code was a test starting...

MAL-2026-1795 Malicious code in nchain-clone (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eac539849e0053adcf6d0d4967489d0b945897e27f64928ad5ed80b097fff8ee The package nchain-clone was found to contain malicious code...

Malicious code in nchain-clone (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eac539849e0053adcf6d0d4967489d0b945897e27f64928ad5ed80b097fff8ee The package nchain-clone was found to contain malicious code...

EUVD-2026-12800

The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clonebulkactionhandler and republishrequest functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization due to missing capability checks in the clonebulkactionhandler and republishrequest functions. An attacker can duplicate or overwrite posts, including those they should not have access to, by sending crafted reques...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

CVE-2026-1217

The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clonebulkactionhandler and republishrequest functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with...

WordPress plugin Yoast Duplicate Post 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-26040

The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clone bulk action handler and republish request functions in all versions up to, and including, 4.5. This makes it possible for authenticated attackers, with...

GHSA-9CCR-FPP6-78QF Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked...

crypto/tls: crypto/tls: Incorrect certificate validation during TLS session resumption

A flaw was found in the crypto/tls component. This vulnerability occurs during Transport Layer Security TLS session resumption when certificate authority CA settings are modified between the initial and resumed handshakes. An attacker could exploit this to bypass certificate validation, allowing ...

This Week in Spring - March 17th, 2026

Hi, Spring fans! Welcome to another rip-roaring installment of This Week in Spring , which I'm posting ahead of my keynote at the amazing JavaOne 2026 event here in sunny San Francisco, California! I love Piotr's latest post on using local AI models with LM Studio and Spring AI Did you see the ne...

Malicious code in pymnemonic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 459bd254a36d9b8c78d96285e0c0aedb285b08f22900e022ea67988f3cb98e92 Malicious clone of the legitimate python-utils package, disguised as a crypto-related helper. The malicious code modification exfiltrates sensitive env variabl...

MAL-2026-1438 Malicious code in pymnemonic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 459bd254a36d9b8c78d96285e0c0aedb285b08f22900e022ea67988f3cb98e92 Malicious clone of the legitimate python-utils package, disguised as a crypto-related helper. The malicious code modification exfiltrates sensitive env variabl...

GHSA-HQJG-PWW4-PCGQ @google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script

Impact Allows an attacker to perform a "Path Traversal" attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer's machine. Patches Fixed in version 3.2.0 Workarounds Only clone or pull scripts from trusted sources Review the output of...