CI4MS Fileeditor allows deletion and rename of critical application files due to missing extension allowlist on destructive operations

Summary The Fileeditor module enforces an extension allowlist 'css','js','html','txt','json','sql','md' on content-write operations saveFile, createFile, but two destructive endpoints — deleteFileOrFolder and renameFile — never validate the extension of the source path. A backend user with...

RUSTSEC-2026-0148 OCI layer symlink escape → arbitrary host write

Affected versions of boxlite extract OCI image layer tarballs without fully containing path resolution to the extraction root. A crafted layer containing a symlink whose target is an absolute on-host path e.g. escape - /tmp followed by a file entry that resolves through that symlink e.g...

@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools

SSE Transport Has No Authentication and Wildcard CORS, Exposing All 86 GitLab Tools Including Destructive Operations A review of mcp-gitlab-server at commit 80a7b4cf3fba6b55389c0ef491a48190f7c8996a uncovered that the SSE HTTP transport — advertised in the README and comparison table as a...

CVE-2026-41658

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations delete, retire, reinstate only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for...

CVE-2026-4002

The Petje.af plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 2.1.8. This is due to missing nonce validation in the ajaxrevoketoken function which handles the 'petjeafdisconnect' AJAX action. The function performs destructive operations includin...

CVE-2026-21445

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories...

VulnCheck KEV: CVE-2025-11372

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to modification of data in all versions up to, and including, 4.2.9.2. This is due to missing capability checks on the Admin Tools REST endpoints which are registered with permissioncallback set to returntrue. This makes it...

MERCURY and DEV-1084: Destructive attack on hybrid environment

April 2023 update – Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. MERCURY is now tracked as Mango Sandstorm and DEV-1084 is now tracked as Storm-1084. To learn more about the new taxonomy represents the origin, unique traits,...

Unspecified Vulnerability in Simple Ledger Electron-Cash-SLP

Simple Ledger Electron-Cash-SLP is a suite of SLP e-wallet implementations from Simple Ledger that supports creating, burning, and sending SLP tokens, among other things. A security vulnerability exists in Simple Ledger Electron-Cash-SLP versions prior to 3.6.2, which can be exploited by attacker...

Destructive and MiTM Capabilities of VPNFilter Malware Revealed

It turns out that the threat of the massive VPNFilter botnet malware that was discovered late last month is beyond what we initially thought. Security researchers from Cisco's Talos cyber intelligence have today uncovered more details about VPNFilter malware, an advanced piece of IoT botnet malwa...