MAL-2026-4350 Malicious code in clobprice.api (npm)

A campaign of npm packages sharing a common dropper clob.js that downloads and persistently installs a Windows executable from IPFS on postinstall. The dropper fetches the binary from IPFS CID bafybeif3zkapj364ofnrvbty7oj5h5ufpxlp4s62usk3ulxrru35e3gssa via multiple public gateways Pinata,...

Astra Linux - уязвимость в openimageio

There is a heap-out-of-bounds read vulnerability in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, it relates to the handling of run-length encoded byte spans. A malformed RLA file can lead to an out-of-bounds read of heap metadata, potentially...

CVE-2026-29055 Tandoor Recipes: WebP and GIF Image Uploads Bypass EXIF/Metadata Stripping, Leaking GPS Coordinates and PII

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the image processing pipeline in Tandoor Recipes explicitly skips EXIF metadata stripping, image rescaling, and size validation for WebP and GIF image formats. A...

PT-2026-26371

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. Versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2...

BIT-AIRFLOW-2026-26929 Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...

Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...

CVE-2026-26929 Apache Airflow: Wildcard DagVersion Listing Bypasses Per‑DAG RBAC and Leaks Metadata

Apache Airflow versions 3.0.0 through 3.1.7 FastAPI DagVersion listing API does not apply per-DAG authorization filtering when the request is made with dagid set to "" wildcard for all DAGs. As a result, version metadata of DAGs that the requester is not authorized to access is returned. Users ar...

CVE-2026-27661

A vulnerability has been identified in SINEC Security Monitor All versions V4.9.0. The affected application leaks confidential information in metadata, and files such as information on contributors and email address, on SSM Server...

CVE-2026-27796 Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak)

Homarr is an open-source dashboard. Prior to version 1.54.0, the integration.all tRPC endpoint in Homarr is exposed as a publicProcedure, allowing unauthenticated users to retrieve a complete list of configured integrations. This metadata includes sensitive information such as internal service...

CVE-2020-10975

GitLab EE/CE 10.8 to 12.9 is leaking metadata and comments on vulnerabilities to unauthorized users on the vulnerability feedback page...

TencentOS Server 4: grafana (TSSA-2025:0339)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2025:0339 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

EUVD-2008-1299

Malware in sbrugna...

CVE-2024-1279

The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata...

CVE-2020-0286

In Bluetooth AVRCP, there is a possible leak of audio metadata due to residual data. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-150214479...

CVE-2025-2424

Mattermost vulnerability CVE-2025-2424 affects Mattermost releases 10.5.x ≤ 10.5.1 and 9.11.x ≤ 9.11.9. The root cause is a failure to verify whether a file has been deleted when creating a bookmark, which can let an attacker who knows deleted file IDs obtain metadata of those files via bookmark ...

CVE-2025-2424 Leaked Metadata of Deleted Files via Bookmark Creation

Mattermost versions 10.5.x = 10.5.1, 9.11.x = 9.11.9 fail to check if a file has been deleted when creating a bookmark which allows an attacker who knows the IDs of deleted files to obtain metadata of the files via bookmark creation...

CVE-2025-27149 Zulip exports can leak private data

Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries E.g.,...

Exposure of Sensitive Information Through Metadata

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Exposure of Sensitive Information Through Metadata due to an issue in proxyserver.py. An attacker can obtain sensitive information, including API keys, by triggering error...

CVE-2025-0503

Mattermost 9.11.x

CVE-2024-53866 pnpm vulnerable to no-script global cache poisoning via overrides / `ignore-scripts` evasion

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data including on first...