CVE-2026-24756

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade...

PT-2026-46857

Impact Any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g., following the production Docker example in the README, this is exploitable from the local network without...

Why Encrypted File Sharing Is Essential for Modern Businesses

Consider the history of any recent corporate scandal, and it is quite possible to guess what the story…...

What’s new in Microsoft Security: May 2026

At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the AI it protects. As organizations accelerate AI adoption, security teams are navigating...

What’s new in Microsoft Security: May 2026

At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the AI it protects. As organizations accelerate AI adoption, security teams are navigating...

CVE-2026-2740

Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency...

BIT-TOMCAT-2022-25762 Response mix-up with WebSocket concurrent send and close

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling...

PT-2026-41212

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.2 Description A mass assignment issue exists in the dataset create and update processes. The application uses Object.assign to copy the request body into a Dataset entity without an explicit field allowlist,...

BIT-JRE-2025-21587

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: JSSE. Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle...

PT-2026-39277

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The get sources from items function resolves file and knowledge base references into vector search queries during chat completion. Certain code paths perform vector store queries without...

BIT-JAVA-MIN-2023-22025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:...

BIT-JAVA-2023-21830

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Serialization. Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf; Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows...

Public Voting Records: A Record, or an Attack Surface?

This is a whitepaper discussing a formal methodology for auditing voter-file disclosure regimes against linkage attacks...

Embedded Malicious Code

Overview elementary-data is a Data monitoring and lineage Affected versions of this package are vulnerable to Embedded Malicious Code that is a credential stealer designed to exfiltrate sensitive data from the environment where the CLI is installed or executed. Specifically, the code: - Harvests...

Microsoft Purview 代码问题漏洞

Microsoft Purview is a data security and management software developed by the American company Microsoft. There is a code vulnerability in Microsoft Purview, which stems from server-side request forgery. This vulnerability allows unauthorized attackers to escalate their privileges through the...

PT-2026-33633

Name of the Vulnerable Software and Affected Versions Apache Kafka versions 4.1.0 through 4.1.1 Description An issue exists in the OAUTHBEARER authentication mechanism where the broker property sasl.oauthbearer.jwt.validator.class defaults to...

PT-2026-32560

Name of the Vulnerable Software and Affected Versions SAP Business Planning and Consolidation affected versions not specified SAP Business Warehouse affected versions not specified Description Insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse...

CVE-2026-35167

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences...

Support platform breach exposes Hims & Hers customer data

Healthcare companies handle some of the most personal data imaginable. That makes them a magnet for hackers. And when those companies outsource their customer support to third-party platforms, every one of those platforms becomes another door someone can try to kick in. Telehealth giant Hims & He...

CVE-2026-35167

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, the getversionedpath method in kedro/io/core.py constructs filesystem paths by directly interpolating user-supplied version strings without sanitization. Because version strings are used as path components, traversal sequences...