815208 matches found
Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagg...
Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets includ...
CVE-2026-10660
The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bapbroadcastassistant.c reassembled remote Broadcast Receive State data into a single file-static netbufsimple attbuf, BTATTMAXATTRIBUTELEN = 512 bytes shared by all connection instances, while the BUSY flag, long-read...
Exploit for Deserialization of Untrusted Data in Apache Camel
Permissive Default ObjectInputFilter — DNS Side-Channel Reprod...
CVE-2026-10660 Shared reassembly buffer in Bluetooth BAP Broadcast Assistant enables cross-connection memory corruption
The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bapbroadcastassistant.c reassembled remote Broadcast Receive State data into a single file-static netbufsimple attbuf, BTATTMAXATTRIBUTELEN = 512 bytes shared by all connection instances, while the BUSY flag, long-read...
CVE-2026-10660
The CVE-2026-10660 issue affects the Zephyr Bluetooth BAP Broadcast Assistant GATT client (subsys/bluetooth/audio/bap_broadcast_assistant.c). A single static net_buf_simple buffer (att_buf, BT_ATT_MAX_ATTRIBUTE_LEN = 512) is shared across all connections; per-connection state (BUSY flag, long-rea...
EUVD-2026-43190
The Bluetooth BAP Broadcast Assistant GATT client in subsys/bluetooth/audio/bapbroadcastassistant.c reassembled remote Broadcast Receive State data into a single file-static netbufsimple attbuf, BTATTMAXATTRIBUTELEN = 512 bytes shared by all connection instances, while the BUSY flag, long-read...
pantest-containers
Pentest Containers Uruchamianie Ten projekt buduje narzęd...
CVE-2026-61448
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
CVE-2026-56763
Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...
CVE-2026-61426
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...
CVE-2026-56296
Cap-go before 12.128.2 contains an information disclosure vulnerability in the public.transferapp RPC function that returns distinct error messages for existing versus non-existing app IDs. Unauthenticated attackers can enumerate valid app IDs by observing error message differences when calling...
CVE-2026-56303
Capgo before 12.128.2 contains an information disclosure vulnerability in the findapikeybyvalue PostgreSQL function marked SECURITY DEFINER and executable by the anon role. Unauthenticated attackers can call this function via the /rest/v1/rpc/findapikeybyvalue endpoint to retrieve sensitive API k...
CVE-2026-61448 Parse Server 9.0.0 Stored XSS via malformed Content-Type
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
CVE-2026-61448
Parse Server is affected by a stored XSS in versions 9.0.0–9.9.9 (excluding 9.10.0-alpha.2) and 8.6.0x up to 8.6.83. When a file with an unrecognized extension is uploaded, the client-supplied Content-Type is kept. A malformed Content-Type (not valid type/subtype) can bypass fileUpload.fileExtens...
EUVD-2026-43183
Parse Server is affected by a stored cross-site scripting XSS vulnerability in versions = 9.0.0, 9.10.0-alpha.2 and = 8.6.83. When an uploaded file's extension is not recognized by the mime package, Parse Server preserves the client-supplied Content-Type. A malformed Content-Type that is not a...
CVE-2026-61426 PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...
CVE-2026-61426
PrasionAI prior to 1.7.3 uses insecure defaults: it binds to all interfaces with no API key and permissive CORS, allowing unauthenticated access. Attacks can read agent instructions/system prompts via GET /api/agents or invoke /api/chat via POST without auth. No explicit remediation details are p...
EUVD-2026-43176
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication...
CVE-2026-56763 Hono - Prototype Pollution via __proto__ Key in parseBody with dot Option
Hono before 4.12.7 allows proto key in parseBody with dot option enabled, permitting specially crafted form field names to create objects with proto properties. When parsed results are merged into regular JavaScript objects using unsafe merge patterns, attackers can exploit this to achieve...