@activepieces/piece-ai (>=0.3.1 <=0.3.4), @evertondgn/polyhive-cli (=0.1.62) +5 more potentially affected by CVE-2026-6321 via fast-uri (>=3.0.1 <=3.1.0)

fast-uri NPM version =3.0.1, =0.3.1, =5.4.3, =1.0.0, =1.0.0, =2.2.0, =2.3.1 Source cves: CVE-2026-6321 Source advisory: SNYK:JS-FASTURI-16642399...

@algolia/coquille (>=0.0.2 <=0.0.13), @candlelabs/sdk (>=1.0.1 <=1.0.2) +20 more potentially affected by CVE-2026-33750 via brace-expansion (>=1.1.0 <=1.1.11)

brace-expansion NPM version =1.1.0, =0.0.2, =1.0.1, =0.0.1, =0.1.0, =1.0.0, =1.0.0, =1.1.1, =1.0.3-dev.20180316T104657Z.4a84a30, =1.1.0 and more Source cves: CVE-2026-33750 Source advisory: SNYK:JS-BRACEEXPANSION-15789759...

EUVD-2002-1005

Malware in sbrugna...

The USDOMarketModule contract's lend function allows for dangerous call delegation

Lines of code Vulnerability details Impact The USDOMarketModule contract is a module that is used by the BaseUSDO contract to facilitate functionality for market actions. The module functionality is invoked through the invocation of a delegatecall within the BaseUSDO contract's executeModule...

[M-03] Wrong minting on lend for Tempus

Lines of code Vulnerability details Impact Will result in either failure to lend or loss of funds for the lender Proof of Concept Not very clear what was the original intention, but I find it hard to believe that subtracting the whole balanceOf iPTs from the return result from Tempus, is what was...

Unpaused modifier can be sidestepped in one of the lend functions.

Lines of code Vulnerability details Impact Suppose you tried to pause the lend function that is connected to Swivel. In that case, the attacker could sidestep it because there is no verification that the number input from the user corresponds with the desired input. Proof of Concept Let's say a b...

User to lose all the funds when lend() to Swivel

Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 memory a, address y, Swivel.Order calldata o, Swivel.Components calldata s public unpausedp returns uint256 // lent represents the number of underlying tokens lent uint256 lent; // returned represents the...

[H-03] Attacker can mint unbound amount of iPTs (on APWine)

Lines of code Vulnerability details Note that I've reported a similar vulnerability, on a different 'Principals' and POC\attack vector is a bit different. I will leave it to the judge to decide if these should be grouped as 1 report or not - but I wanted to be specific at the POC instead of...

No minting done in the Element version of lend function, user funds are frozen within the system

Lines of code Vulnerability details Lender's Element lend transfers the funds from a user, opens the position with Element, but fails to mint a corresponding Illuminate position to a user. Setting severity to be high as there is no account of user investment is effectively created, so there is no...

lend() to Tempus will return less than expected or just revert

Lines of code Vulnerability details function lend uint8 p, address u, uint256 m, uint256 a, uint256 r, uint256 d, address t, address x public unpausedp returns uint256 // Instantiate market and tokens address principal = IMarketPlacemarketPlace.marketsu, m, p; if ITempusprincipal.yieldBearingToke...

NFTPairWithOracle's _lend ignores accepted.oracle and allows to start loan with empty params.oracle

Lines of code Vulnerability details Impact As lend doesn't require params.oracle to be valid, while removeCollateral does, the loan initiation with an empty oracle can lead to ignoring collateral valuation. As the deals are OTC this can be seen as lender decision. However, lend ignores...

Protocol doesn't handle fee on transfer tokens

Lines of code Vulnerability details Impact Since the borrower is able to specify any asset token, it is possible that loans will be created with tokens that support fee on transfer. If a fee on transfer asset token is chosen, the protocol will contain a point of failure on the original lend call...

Lend and borrow tickets can be transferred to the NFTLoanFacilitator

Lines of code Vulnerability details Impact Both lend and borrow tickets can be intentionally or accidentally transferred to the NFTLoanFacilitator contract. Since the NFTLoanFacilitator has no mechanism for rescuing these tokens or preventing their transfer, borrowers may be unable to repay,...

Dashboard is not working , lend positiona are still loading, the same is for Lend button, Lend Amount to lend is not refresjing

Handle 0v3rf10w Vulnerability details Impact Detailed description of the impact of this finding. Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. Tools Used Recommended Mitigation Steps --- The...

CVE-2002-1016

Adobe eBook Reader allows a user to bypass restrictions for copy, print, lend, and give operations by backing up key data files, performing the operations, and restoring the original data files...

CVE-2002-1016

CVE-2002-1016 concerns the Adobe eBook Reader. Local users can bypass DRM restrictions on copy, print, lend, and give operations by backing up key data files, performing the operations, and restoring the originals. The root cause is how the DRM-enabled workflow handles key data files, enabling ci...