praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}

Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. The...

CVE-2026-42158

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3...

CVE-2026-39942 Directus has a Path Traversal and Broken Access Control in File Management API

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

CVE-2026-39942

CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...

DEBIAN-CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

SUSE CVE-2026-23992

go-tuf is a Go implementation of The Update Framework TUF. Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to...

Malicious code in sirius-scorpius-sirius-parsec (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 945110d04861c7ba28d752135fc122c0ded21115150e551cf17097d9fdfb3eb5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-189269 Malicious code in rollup-plugin-chai-soap-terser-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961e8a7cfffd287292e217d76e3379b062907280f409cf0ea9836155a60343e2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-190182 Malicious code in void-oberon-supernova-package (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1662dd30a3bfdab50f06631023e83a010a07f87f264297ccff4a1f470029289c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in spinner-rest-standard-writable (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebdb152aca673463af38f743b1775bb01844887f70361930a578a2fcac67ff80 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in serialize-cloud-key-array-secure (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d01874bd4c7f5835f39f72b5f76baf3b4f36532a530bfe790cfd96aaa71f6870 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in secure-eta-throw-index-fork (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6ef07f6a8d07c9ae7049f63ac2d5a0c363e46cfda057c7eb6353624e949ce2c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in flights-tuiga-alukza (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae78f3017f1d48e680d47a29bb4fb6f3dbbe20742ee0b8aac53189fb838a44f9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-181642 Malicious code in astam-ifst-dikg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90022fb9e51aab356734925aaf6de982075f0406473d9023ed294ef58b67d036 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in masv-ilmo-civas (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f437d29167926781bbcba80ae934ed6c768eecc49fd82bae3827bcc8dcc5790 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in baso59 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e5e93d29eddc21366fdb7fb7190c4cd298a49c63146554ea1aab064ee4b1fa5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in teate-thy-py-ojto (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2b33b2cff7f6c077f2a44d8be2eebffba02adb7687488759ae0233fa6fd3d62a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-175920 Malicious code in mahiy-sutabu-gin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e157c750984d6059f5e0177cc89e863199cca889ff7b88bb6f4c4736d0cd902 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-172868 Malicious code in ananda-poke12 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa155cc86240ca8ba1ea2b62b9ea36e2835bf85450e68f3703f2b45b6b776d2b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...