113 matches found
CVE-2026-56269
Flowise before 3.1.0 npm package flowise, versions 3.0.13 and earlier uses a weak hardcoded default value 'Secre$t' for the TOKENHASHSECRET environment variable in packages/server/src/enterprise/utils/tempTokenUtils.ts when the variable is not configured. This secret derives the AES-256-CBC key...
praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}
Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. The...
CVE-2026-42158
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3...
CVE-2026-31835 Vaultwarden WebAuthn credential metadata tampered before signature verification
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in validatewebauthnlogin updates persistent credential metadata 1backupeligible1 and 1backupstate flags1 based on unverified authenticatorData before signature validation...
PT-2026-51774
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description The software uses a weak hardcoded default value 'Secre$t' for the TOKEN HASH SECRET environment variable in the packages/server/src/enterprise/utils/tempTokenUtils.ts file when the variable is not...
CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...
CVE-2026-39942
CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...
DEBIAN-CVE-2026-33173
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...
CVE-2026-33173
Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...
SUSE CVE-2026-23992
go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...
Malicious code in spinner-rest-standard-writable (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebdb152aca673463af38f743b1775bb01844887f70361930a578a2fcac67ff80 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in sirius-scorpius-sirius-parsec (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 945110d04861c7ba28d752135fc122c0ded21115150e551cf17097d9fdfb3eb5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in secure-eta-throw-index-fork (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6ef07f6a8d07c9ae7049f63ac2d5a0c363e46cfda057c7eb6353624e949ce2c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in serialize-cloud-key-array-secure (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d01874bd4c7f5835f39f72b5f76baf3b4f36532a530bfe790cfd96aaa71f6870 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189269 Malicious code in rollup-plugin-chai-soap-terser-webpack-plugin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961e8a7cfffd287292e217d76e3379b062907280f409cf0ea9836155a60343e2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-190182 Malicious code in void-oberon-supernova-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1662dd30a3bfdab50f06631023e83a010a07f87f264297ccff4a1f470029289c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in masv-ilmo-civas (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f437d29167926781bbcba80ae934ed6c768eecc49fd82bae3827bcc8dcc5790 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in flights-tuiga-alukza (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae78f3017f1d48e680d47a29bb4fb6f3dbbe20742ee0b8aac53189fb838a44f9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-181642 Malicious code in astam-ifst-dikg (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90022fb9e51aab356734925aaf6de982075f0406473d9023ed294ef58b67d036 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in baso59 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e5e93d29eddc21366fdb7fb7190c4cd298a49c63146554ea1aab064ee4b1fa5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...