Tekton Pipelines: HTTP Resolver Unbounded Response Body Read Enables Denial of Service via Memory Exhaustion

Summary The HTTP resolver's FetchHttpResource function calls io.ReadAllresp.Body with no response body size limit. Any tenant with permission to create TaskRuns or PipelineRuns that reference the HTTP resolver can point it at an attacker-controlled HTTP server that returns a very large response...

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

CVE-2026-31881

CVE-2026-31881 (Runtipi): Affects the Runtipi personal homeserver orchestrator. Before version 4.8.0, an unauthenticated attacker could exploit the password reset flow at POST /api/auth/reset-password during an active 15-minute reset window to set a new operator password and gain admin access, ca...

CVE-2026-31881

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator admin password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization...

Predicting Tail-Risk Escalation in IDS Alert Time Series

Network defenders face a steady stream of attacks, observed as raw Intrusion Detection System IDS alerts. The sheer volume of alerts demands prioritization, typically based on high-level risk classifications. This work expands the scope of risk measurement by examining alerts not only through the...

CVE-2025-14002

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP One-Time Password generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verificatio...

CVE-2025-14002

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP One-Time Password generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verificatio...

CVE-2025-14002

CVE-2025-14002 — The WPCOM Member plugin for WordPress allows authentication bypass via brute force. Root cause: weak OTP generation (6 digits) with a 10-minute validity and no rate limiting on verification attempts. Impact: unauthenticated attackers can log in as any user (including admins) if t...

CVE-2025-14002 WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP One-Time Password generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verificatio...

EUVD-2025-203621

The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP One-Time Password generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verificatio...

PT-2025-51469

Name of the Vulnerable Software and Affected Versions WPCOM Member plugin for WordPress versions prior to 1.7.17 Description The software is susceptible to authentication bypass through brute-force attacks. This is caused by a weak One-Time Password OTP generation process, utilizing only six...

EUVD-2010-2268

Malware in sbrugna...

EUVD-2010-2269

Malware in sbrugna...

EUVD-2022-24971

Malicious code in bioql PyPI...

EUVD-2024-20586

Malicious code in bioql PyPI...

CVE-2025-35432

CVE-2025-35432 (CISA Thorium): Thorium versions prior to 1.1.1 did not rate limit account verification email requests, allowing a remote unauthenticated attacker to flood a user pending verification with unlimited messages. The issue is resolved in 1.1.1 by enabling a default rate limit of 10 min...

PT-2025-38231

Name of the Vulnerable Software and Affected Versions: Thorium versions prior to 1.1.1 Description: Thorium does not limit the rate of requests to send account verification email messages. This allows a remote, unauthenticated attacker to send an unlimited number of messages to a user awaiting...

CVE-2025-7774 Rockwell Automation ArmorBlock 5000 I/O – Web Server Vulnerabilities

A security issue exists within the 5032 16pt Digital Configurable module’s web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions...

CVE-2025-7774

CVE-2025-7774 affects the Rockwell Automation 5032 16pt Digital Configurable module, specifically its web server. The root issue is that intercepted session credentials can be reused within a short 3‑minute timeout window to perform privileged actions. This vulnerability arises from session handl...

TOTOLINK CA300-PoE 命令注入漏洞

TOTOLINK CA300-PoE is a wireless access point from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK CA300-PoE ap.so file, which originates from the parameter hour/minute in the file ap.so failing to correctly filter constructed command special characters...