EUVD-2026-32910

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

CVE-2026-44593

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, the legacy router first retrieves a response from legacyServer, parses the incoming request path, and ultimately writes the data to storage via buildStorage.Put. The router concatenates the path components...

PT-2026-40542

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description The legacy router retrieves a response from legacyServer, parses the request path, and writes data to storage using the buildStorage.Put function. Because the router concatenates path components...

GHSA-6RMH-7XCM-CPXJ PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Summary PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. Details The vulnerable server is the shippe...

CVE-2025-14376 Verve Asset Manager – Plaintext Storage Vulnerabilities

A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024...

GHSA-42R6-P4PX-QVV6 tgstation-server cached user logins in legacy server

Please note this advisory is for a historical preexisting issue in the legacy server from 2018. It has long since been triaged. It is being moved here for visibility. The text below is copied from the original issue 690 You can login to the server with any username/password combination if someone...

Legacy Server BMC Remote Command Injection

In some Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users...

Ipswitch WhatsUp Gold 'legacy .ASP' Page SQL Injection Vulnerability

Ipswitch WhatsUp Gold is a suite of unified infrastructure and application monitoring software from Ipswitch USA. The software supports management of network, server, virtual environment and application performance, among other things. An SQL injection vulnerability exists in the legacy .ASP page...