CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

Claude Fable 5 and Mythos 5 “abruptly disabled” after US gov. ban

Anthropic has been ordered by the US government to cut off its newest Claude Fable 5 and Mythos 5 models for fear of abuse by adversaries. Reuters reports that Anthropic said it will "abruptly ​disable" its most advanced AI models for all users after the US government ordered it to suspend access...

EUVD-2026-36723

Subscriber Broken Access Control in Really Simple SSL = 9.5.9 versions...

Handala Hacking Group Claims Breach of California Water Service

The Handala hacking group claims it has targeted California Water Service, leaking 5GB of customer database and GPS network files in its latest infrastructure attack...

Security Bulletin: IBM Engineering Systems Design Rhapsody was affected by CVE-2025-11143

Summary IBM Engineering Systems Design Rhapsody was affected by CVE-2025-11143. Although the vulnerability is generally rated low to medium severity due to the specific conditions required for exploitation, it can become more impactful in complex multi-layered architectures where consistent URL...

PT-2026-49521

Subscriber SQL Injection in Taskbuilder = 5.0.7 versions...

PT-2026-49480

Unauthenticated Sensitive Data Exposure in EmbedPress = 4.5.2 versions...

PT-2026-49403

Unauthenticated Privilege Escalation in WP BASE Booking = 5.9.0 versions...

PT-2026-49518

Unauthenticated SQL Injection in eCommerce Product Catalog = 3.5.5 versions...

PT-2026-49424

Subscriber Broken Authentication in AutomatorWP = 5.6.7 versions...

PT-2026-49347

Custom role Insecure Direct Object References IDOR in Projectopia = 5.1.25.2 versions...

CVE-2026-38065

Tenda 5G03 V05.03.02.04 Version 1.0 is vulnerable to Command injection in the function actionimsonwithapn via the imsapn parameter...

PT-2026-49398

Unauthenticated SQL Injection in SpeakOut! Email Petitions = 4.6.5 versions...

PT-2026-49449

Unauthenticated Cross Site Scripting XSS in Classified Listing = 5.3.8 versions...

python311-PyJWT-2.13.0-1.1 on GA media (moderate)

python311-PyJWT-2.13.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:11024-1 Rating: moderate Cross-References: CVE-2026-48522 CVE-2026-48523 CVE-2026-48524 CVE-2026-48525 CVE-2026-48526 CVSS scores: CVE-2026-48522 SUSE : 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2026-48522 SUSE :...

PT-2026-49356

Unauthenticated Broken Access Control in User Registration = 5.1.2 versions...

PT-2026-49442

Unauthenticated Broken Access Control in Classified Listing = 5.3.8 versions...

PT-2026-49444

Unauthenticated Cross Site Scripting XSS in AutomatorWP = 5.6.7 versions...

PT-2026-49467

Unauthenticated Other Vulnerability Type in WpEvently = 5.3.3 versions...

PT-2026-49378

Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips 5.9.0 versions...