nebula-mesh: GET /api/v1/audit-log discloses all entries to any operator

internal/api/audit.go:12 — handleGetAuditLog does no admin check. The route is bearer-auth gated only; any operator API key returns the full audit log via store.ListAuditEntries up to limit=1000. This includes cross-tenant actor names, host/CA/operator IDs, action timestamps, and masked-IP entrie...

coruna-postexploit

Coruna Post-Exploitation Framework Overview This is a com...

CVE-2026-40519

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

CVE-2026-46284

A flaw was found in the Linux kernel's hugetlb memory management. A local user could exploit this by providing malformed kernel command-line parameters, such as hugepages or hugepagesz, without an '=' separator. This improper handling of input during early parameter parsing can lead to a system...

CVE-2026-40519 Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

CVE-2026-40519 Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary...

CVE-2026-40519

Nginx Proxy Manager versions 2.9.14–2.15.1 are affected by an authenticated remote code execution via OS command injection in backend/setup.js (setupCertbotPlugins). The user-controlled dns_provider_credentials field is interpolated directly into a shell command executed with child_process.exec()...

CVE-2026-11487

A flaw was found in Neovim. A local user could exploit this vulnerability by manipulating the argument path in the M.read function within the runtime/lua/vim/secure.lua file. This can lead to command injection, allowing the attacker to execute arbitrary commands on the local system...

CVE-2026-11393 Code injection via improper triple-quote escaping in AgentCore CLI Bedrock Agent import

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of anothe...

EUVD-2026-35184

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : Devolutions...

CVE-2026-10544

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : Devolutions...

CVE-2026-10544

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : Devolutions...

CVE-2026-8913

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

CVE-2026-11556

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

CVE-2026-11556

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

CVE-2026-11556 Tenda F451 Web Management WriteFacMac formWriteFacMac os command injection

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

EUVD-2026-35179

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

CVE-2026-11556 Tenda F451 Web Management WriteFacMac formWriteFacMac os command injection

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

CVE-2026-11556

Affected product: Tenda F451 routers (firmware 1.0.0.7/1.0.0.9). Vulnerable component: Web Management Interface, function formWriteFacMac in /goform/WriteFacMac. Root cause: parameter manipulation of mac leads to OS command injection. Impact: remote code execution with high severity (network vect...

apheris-auth (=0.23.0), apheris-cli (>=0.51.0 <=0.52.0) +1 more potentially affected by CVE-2026-41479 via authlib (=1.7.0)

authlib PYPI version =1.7.0 is affected by a known vulnerability. The following packages have a transitive dependency on authlib and may be impacted: - apheris-auth =0.23.0 - apheris-cli =0.51.0, =1.3.0, =1.3.0b4 Source cves: CVE-2026-41479 Source advisory: OSV:GHSA-W8P2-R796-3VMQ...