CVE-2026-45256

When used to deliver a signal to a specific thread, thrkill22 called pcansignal to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to th...

CVE-2026-5081

The CVE-2026-5081 entry concerns Apache::Session::Generate::ModUniqueId for Perl. Affected versions: 1.54 through 1.94 use the UNIQUE_ID environment variable (set by mod_unique_id) as the session id. The UNIQUE_ID is built from the request’s IPv4 address, process id, epoch time, a 16-bit counter,...

CVE-2026-31950

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint /api/agents/chat/stream/:streamId does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and...

CVE-2026-31950

LibreChat is a ChatGPT clone with additional features. In versions 0.8.2-rc2 through 0.8.2-rc3, the SSE streaming endpoint /api/agents/chat/stream/:streamId does not verify that the requesting user owns the stream. Any authenticated user who obtains or guesses a valid stream ID can subscribe and...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint. An attacker can access and download image files belonging to any flow by knowing or guessing the flow ID and file name. Remediation There is no fixed version for langflow-base...

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch method in apps/api/plane/app/views/asset/v2.py lines 579–593 performs a global asset lookup using only the asset ID pk via FileAsset.objects.getid=pk, without verifying that the asset belong...

CVE-2025-13371

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details PAN, card holder name, expiry month/year, and CVV in WordPress postmeta using base64encode, and then...

EUVD-2019-2400

Malware in sbrugna...

EUVD-2005-4718

Malware in sbrugna...

EUVD-2005-1634

Malware in sbrugna...

EUVD-2001-0292

Malware in sbrugna...

EUVD-2022-27663

Malicious code in bioql PyPI...

EUVD-2022-48083

Malicious code in bioql PyPI...

CVE-2025-55797

An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/schemaId endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed...

CVE-2025-55797

An improper access control vulnerability in FormCms v0.5.4 in the /api/schemas/history/schemaId endpoint allows unauthenticated attackers to access historical schema data if a valid schemaId is known or guessed...

CVE-2020-8791

The OKLOK 3.1.1 mobile companion app for Fingerprint Bluetooth Padlock FB50 2.3 allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary...

PT-2025-17724 · Franka Robotics · Franka Emika Robot

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: An issue exists due to improper JSON Web Tokens implementation, allowing an unauthenticated remote attacker to guess a valid session ID. This enables the attacker to impersonate a user and...

DEBIAN-CVE-2024-49865

In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xaalloc to prevent UAF Evil user can guess the next id of the vm before the ioctl completes and then call vm destroy ioctl to trigger UAF since create ioctl is still referencing the same vm. Move the xaalloc all t...

GitLab: IDOR Exposes All Machine Learning Models

The vulnerability allows an attacker to access any Machine Learning Model Registry in GitLab, including private models, by guessing the incremental model IDs. The attacker can also access different versions of the models. This vulnerability was present in GitLab versions 15.11 and 16.2...

PT-2023-4277 · WordPress · Eventon

Name of the Vulnerable Software and Affected Versions: EventON WordPress plugin versions prior to 2.1.2 Description: The issue is related to a lack of authentication and authorization in the eventon ics download ajax action of the EventON WordPress plugin. This allows unauthenticated visitors to...