532 matches found
GHSA-FXC7-FM93-6Q77 ArcadeDB vulnerable to cross-database authorization bypass and unsecured newly-created databases
Impact Authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: 1 ServerSecurityUser.getDatabaseUser returned a DB user with an uninitialized fileAccessMap, which...
CVE-2026-4060
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The escsql functi...
CVE-2026-41382
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to...
CVE-2026-41382 OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to...
CVE-2026-41382 OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stale-role validation gaps and improper channel name validation to gain unauthorized access to...
CVE-2026-41382
OpenClaw npm package contains an authorization bypass vulnerability in Discord voice ingress prior to version 2026.3.31. The issue stems from channel and member allowlist validation gaps, including stale-role validation and improper channel name validation, enabling access to restricted voice cha...
From Stateless Queries to Autonomous Actions: A Layered Security Framework for Agentic AI Systems
Agentic AI systems face security challenges that stateless large language models do not. They plan across extended horizons, maintain persistent memory, invoke external tools, and coordinate with peer agents. Existing security analyses organize threats by attack type prompt injection, jailbreakin...
[Webinar] Mythos Reality Check: Beating Automated Exploitation at AI Speed
Imagine a world where hackers don't sleep, don't take breaks, and find weak spots in your systems instantly. Well, that world is already here. Thanks to AI, attackers are now launching automated, large-scale exploits faster than ever before. The time you have to fix a vulnerability before it gets...
Flowise 代码注入漏洞
Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior to Flowise 3.1.0, there was a code injection vulnerability. This vulnerability stemmed from the CSVAgent component, which allowed the provision of custom Pandas CSV reading code. Lack of...
CVEs with a CVSS Score Greater Than or Equal to 9
Critical vulnerabilities with Common Vulnerability Scoring System scores of 9.0 or higher pose severe risks to organisations' information systems. Timely detection and remediation are essential to minimise economic and reputational damage from cyberattacks. This paper provides a thorough analysis...
The Ungoverned Workforce: Cybersecurity Insiders Finds 92% Lack Visibility Into AI Identities
Washington D.C., USA, 21st April 2026, CyberNewswire...
SQLi
SQL Injection: An Elite Bug Bounty Hunter's Field Manual SQL...
Decidim 安全漏洞
Decidim is an open-source participatory democracy framework developed using Ruby on Rails. Versions of Decidim from 0.0.1 to 0.30.5 and 0.31.1 contained security vulnerabilities. These vulnerabilities stemmed from the lack of permission checks for the commentable fields in the API, which could...
Owner-Harm: A Missing Threat Model for AI Agent Safety
Existing AI agent safety benchmarks focus on generic criminal harm cybercrime, harassment, weapon synthesis, leaving a systematic blind spot for a distinct and commercially consequential threat category: agents harming their own deployers. Real-world incidents illustrate the gap: Slack AI...
SoK: Reshaping Research on Network Intrusion Detection Systems
Network Intrusion Detection Systems NIDS have been studied for decades. Hundreds of papers have, e.g., proposed ways to enhance, harden or bypass NIDS. However, the findings of prior literature are hardly reflected in real-world operational contexts. Such a disconnection is problematic for resear...
[SECURITY] Fedora 43 Update: aqualung-1.2-12.fc43
Aqualung is an advanced music player originally targeted at the GNU/Linux operating system. It plays audio CDs, internet radio streams and pod casts as well as sound files in just about any audio format and has the feature of inserting no gaps between adjacent tracks...
ChurchCRM 安全漏洞
ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 7.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of object-level authorization checks in the API endpoints, which could lead to information leaks...
Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)
Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...
PT-2026-33274
Name of the Vulnerable Software and Affected Versions Livemesh Addons for Elementor versions prior to 9.1 Description The plugin allows unauthorized modification of data and Stored Cross-Site Scripting XSS through plugin settings. This occurs because the AJAX handler lae admin ajax lacks...
Incident response for AI: Same fire, different fuel
In this article 1. The fundamentals still hold 2. Where AI changes the equation 3. Closing the gaps in telemetry, tooling, and response 4. The human dimension 5. Looking ahead When a traditional security incident hits, responders replay what happened. They trace a known code path, find the defect...