2840 matches found
Mlflow - Arbitrary File Write
An attacker can overwrite any file on the server hosting MLflow without any authentication. id: CVE-2023-6018 info: name: Mlflow - Arbitrary File Write author: byt3bl33d3r severity: critical description: | An attacker can overwrite any file on the server hosting MLflow without any authentication...
GHSA-HJR6-G723-HMFM
creationtimestamp| type| source ---|---|--- 2026-07-10 16:01:02+00:00| seen| https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html 2026-07-10 20:00:23+00:00| seen| https://bsky.app/profile/iberianm.bsky.social/post/3mqcwsfxjof2i 2026-07-11 01:00:51+00:00| seen|...
PYSEC-2026-1565 RunGptLLM class in LlamaIndex has a command injection
A command injection vulnerability exists in the RunGptLLM class of the llamaindex library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models LLMs. The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised...
VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEILDROP by Securonix. It's suspected that the initial payloads are distributed...
[R3] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities
R3 Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities Aaron Roy Tue, 06/23/2026 - 16:43 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components .NET Windows Server Hosting, NodeJS, Erlang OTP, SQ...
Malicious code in abuden221 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...
CVE-2026-48768 TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName
TypeBot is a chatbot builder tool. In versions 3.16.1 and earlier, POST /api/blocks/file-input/v3/generate-upload-url is unauthenticated and uses unsanitized fileName input to construct public/ S3 object keys, while issuing presigned PUT URLs that do not bind Content-Type. As a result, any...
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
The U.S. Cybersecurity and Infrastructure Security Agency CISA has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities KEV catalog, requiring Federal Civilian Executive Branch FCEB agencies to apply the fixes by June 18, 2026. The vulnerability in questi...
CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...
CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...
EUVD-2026-36657
LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...
CVE-2026-54420
LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...
CVE-2026-54420
CVE-2026-54420 is a symlink-following vulnerability in LiteSpeed cPanel plugin before 2.4.8 (as distributed in LiteSpeed WHM Plugin before 5.3.2.0). A user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS can abuse improperly validated symbolic links to access or ...
PT-2026-49104
Name of the Vulnerable Software and Affected Versions LiteSpeed cPanel plugin versions prior to 2.4.8 LiteSpeed WHM PlugIn versions prior to 5.3.2.0 Description A privilege escalation issue exists where the software mishandles symbolic links symlinks provided by a user with FTP or web shell acces...
PT-2026-48882
Name of the Vulnerable Software and Affected Versions Amasty Order Attributes for Magento 2 versions prior to 4.0.0 Description An unauthenticated arbitrary file upload issue allows attackers to write files of any type or name to the store's media directory. This occurs because the upload endpoin...
ClipBucket V5 SQL注入漏洞
ClipBucket V5 is a video hosting platform developed by MacWarrior’s individual developers. Versions of ClipBucket V5 prior to 5.5.3–129 contained a SQL injection vulnerability. This vulnerability stems from a blind SQL injection vulnerability in the actions/progressvideo.php endpoint, which could...
MAL-2026-5199 Malicious code in @ethlete/contentful (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a13fdab1eac9b66fa0d57b62cbd19dfb84616946491165e61b6fd62692441ca The package was found to contain malicious code or consuming dependency that contains malicious code Source: google-open-source-security...
CVE-2026-5422
A flaw was found in jupyter-server. This path traversal vulnerability exists due to insufficient validation of file paths, specifically an incorrect root directory boundary check and improper handling of directory traversal sequences. This allows a remote attacker with low privileges to bypass...
EUVD-2026-33905
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the getospath function within jupyterserver/services/contents/fileio.py. The check uses startswithroot without appending a trailing path separator, allowing sibling...
CVE-2026-5422 Path Traversal in jupyter/jupyter
A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the getospath function within jupyterserver/services/contents/fileio.py. The check uses startswithroot without appending a trailing path separator, allowing sibling...