Toxic Combinations: When Cross-App Permissions Stack into Risk

On January 31, 2026, researchers disclosed that Moltbook, a social network built for AI agents, had left its database wide open, exposing 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The more worrying part sat inside the private messages. Some of those...

CVE-2026-32736

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. An Insecure Direct Object Reference IDOR vulnerability in versions of the wiki prior to 1.0.0 exposes mod authors' personal information - including full names and email addresses - to any authenticated...

Flickr Notifies Users of Data Breach After External Partner Security Flaw

Flickr says a third-party email vendor flaw may have exposed user names, emails, IP data, and activity logs,…...

CVE-2026-24933

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

PT-2026-5765

The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle MitM attack to intercept the cleartext communication,...

EUVD-2026-4257

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

EUVD-2022-5079

Malicious code in bioql PyPI...

CVE-2025-59843 FlagForgeCTF Exposes User Emails via Public /api/user/[username] API

Flag Forge is a Capture The Flag CTF platform. From versions 2.0.0 to before 2.3.2, the public endpoint /api/user/username returns user email addresses in its JSON response. The fix, intended for release in 2.3.1 but only available starting in version 2.3.2, removes email addresses from public AP...

VulnCheck KEV: CVE-2024-0235

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog...

CVE-2024-1289 LearnPress <= 4.2.6.3 - Insecure Direct Object Reference

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated attackers to...

LearnPress < 4.2.6.4 - Insecure Direct Object Reference

Description The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.6.3 due to missing validation on a user controlled key when looking up order information. This makes it possible for authenticated...

PT-2023-20888 · Unknown · Peppermint

Name of the Vulnerable Software and Affected Versions: Peppermint version 0.2.4 Description: The issue concerns the password reset function, allowing attackers to access emails and passwords of the Tickets page through a crafted request. Recommendations: For Peppermint version 0.2.4, consider...

PT-2023-14256 · Ibm · Ibm Robotic Process Automation

Name of the Vulnerable Software and Affected Versions: IBM Robotic Process Automation versions 20.12 through 21.0.6 Description: The issue allows for the exposure of the name and email for the creator/modifier of platform level objects. Recommendations: For versions 20.12 through 21.0.6, update t...