CVE-2026-41016 Apache Airflow Providers SMTP: No certificate validation on SMTP STARTTLS connections in SMTP provider

Apache Airflow's SMTP provider SmtpHook called Python's smtplib.SMTP.starttls without an SSL context, so no certificate validation was performed on the TLS upgrade. A man-in-the-middle between the Airflow worker and the SMTP server could present a self-signed certificate, complete the STARTTLS...

PT-2026-34773

OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to redirect onboarding toward malicious gateways and capture...

‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses...

CVE-2025-64149

A cross-site request forgery CSRF vulnerability in Jenkins Publish to Bitbucket Plugin 0.4 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

EUVD-2021-18873

Malware in sbrugna...

EUVD-2012-0679

Malware in sbrugna...

EUVD-2022-5312

Malicious code in bioql PyPI...

EUVD-2023-54623

Malicious code in bioql PyPI...

EUVD-2023-2170

Malicious code in bioql PyPI...

EUVD-2023-1334

Malicious code in bioql PyPI...

EUVD-2022-3240

Malicious code in bioql PyPI...

CVE-2025-58460

A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b92bcd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2025-58460

A missing permission check in Jenkins OpenTelemetry Plugin 3.1543.v8446b92bcd64 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2023-28672

Jenkins OctoPerf Load Testing Plugin Plugin 4.5.1 and earlier does not perform a permission check in a connection test HTTP endpoint, allowing attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

CVE-2023-24437

A cross-site request forgery CSRF vulnerability in Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier allows attackers to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...

CVE-2018-1000186

A exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin 1.41.0 and older in GhprbGitHubAuth.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another...

CVE-2018-1999028

An exposure of sensitive information vulnerability exists in Jenkins Accurev Plugin 0.7.16 and earlier in AccurevSCM.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins...

CVE-2024-37183

Westermo L210-F2G Lynx (CVE-2024-37183) is affected. The vulnerability allows capture of plain text credentials and session IDs over the network due to cleartext transmission. CVSS v3.1 base score 7.5 indicates high severity with Network attack vector and low access complexity; confidentiality im...

PT-2024-3514

Name of the Vulnerable Software and Affected Versions Cisco IP Phone 6800 versions affected versions not specified Cisco IP Phone 7800 versions affected versions not specified Cisco IP Phone 8800 versions affected versions not specified Cisco Video Phone 8875 versions affected versions not...

Cross site request forgery (csrf)

A cross-site request forgery CSRF vulnerability in Jenkins Nexus Platform Plugin 3.18.0-03 and earlier allows attackers to connect to an attacker-specified HTTP server using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins...