CVE-2026-34400

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

Payload has an SQL Injection via Query Handling

Impact Certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. Patches This issue has been fixed in v3.79.1 and later. Query input validation has been hardened. Upgrade to v3.79...

openssl-encrypt's readiness endpoint leaks database error details to unauthenticated callers

Summary The /ready endpoint in opensslencryptserver/server.py at lines 159-175 catches database errors and returns the full exception string in the response. Affected Code python except Exception as e: return "status": "notready", "reason": stre Impact Database exception messages can leak: -...

GHSA-2VHW-Q7VH-7XV2 openssl-encrypt's readiness endpoint leaks database error details to unauthenticated callers

Summary The /ready endpoint in opensslencryptserver/server.py at lines 159-175 catches database errors and returns the full exception string in the response. Affected Code python except Exception as e: return "status": "notready", "reason": stre Impact Database exception messages can leak: -...

Insertion of Sensitive Information Into Sent Data

Overview openssl-encrypt is an A package for secure file encryption and decryption based on modern ciphers using heavy-compute-load chaining of hashing and KDF to generate strong encryption password based on users provided password to ensure secure encryption of files Affected versions of this...

NetBird has Race Condition on UpdateUser Function, Resulting in Privilege Escalation From Admin to Owner

Summary A race condition vulnerability allows authenticated admin-privileged users to escalate to owner privilege. Details The vulnerability exists in the updateUser function, which is connected to the /users/userId PUT request. This function then calls the SaveOrAddUsers function, which checks t...

CVE-2026-34747

Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patche...

Deserialization of Untrusted Data

Overview devcode-it/openstamanager is a management software for technical assistance and electronic invoicing Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process of the accesstoken field in the OAuth2 configuration flow, where...

OpenSTAManager has a Time-Based Blind SQL Injection via `options[stato]` Parameter

Description Multiple AJAX select handlers in OpenSTAManager = 2.10.1 are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from $superselect'stato' and concatenated directly into SQL WHERE clauses as a bare expression, without any...

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets like API keys in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the...

EUVD-2025-209164

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

CVE-2025-67805

A non-default configuration in Sage DPW 202506004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Clou...

MAL-2026-2403 Malicious code in polymarkets-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 facfcba74011619f5bb2eaf096e41239f81520cb4effff3b45f8b42c84d42060 During import, the code attempts to exfiltrate to a hardcoded location sensitive data, including private SSH keys, cloud credentials and Windows SAM database...

EUVD-2026-17869

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user...

CVE-2026-25601 Credential Exposure vulnerability in MEPIS RM

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user...

CVE-2026-25601 Credential Exposure vulnerability in MEPIS RM

A vulnerability was identified in MEPIS RM, an industrial software product developed by Metronik. The application contained a hardcoded cryptographic key within the Mx.Web.ComponentModel.dll component. When the option to store domain passwords was enabled, this key was used to encrypt user...

CVE-2026-5182

A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teacher Record System of the component Parameter Handler. Performing a manipulation of the argument searchteacher results in sql injection. It is possible to initiate the attack...

exploitdb

No d...

CVE-2026-21630

Improperly built order clauses lead to a SQL injection vulnerability in the articles webservice endpoint...

CVE-2026-4370

A vulnerability was identified in Juju from version 3.2.0 until 3.6.19 and from version 4.0 until 4.0.4, where the internal Dqlite database cluster fails to perform proper TLS client and server authentication. Specifically, the Juju controller's database endpoint does not validate client...