VulnCheck KEV: CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

EUVD-2026-28818

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address...

CVE-2026-6543 Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables API keys, DB credentials, modifying files, or launching further attacks on the internal netwo...

CVE-2026-40551 Use of Client-Side Authentication in mpGabinet

mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19...

UBUNTU-CVE-2026-41305

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

Tamper-Proofing with Self-Modifying Code

Classical computability theory tells us that self-modifying code SMC on a deterministic universal Turing machine can be simulated by non-SMC code on the same model. That abstraction, however, omits the external timing inputs, concurrency, and microarchitectural state that dominate practical...

CVE-2025-33242

NVIDIA B300 MCU contains a vulnerability in the CX8 MCU that could allow a malicious actor to modify unsupported registries, causing a bad state. A successful exploit of this vulnerability might lead to denial of service and data tampering...

Improper Input Validation

code.gitea.io/gitea is vulnerable to improper input validation. The vulnerability is due to insufficient validation of attachment file names in the attachment API, which allows an attacker to bypass file extension restrictions by modifying the attachment name...

CVE-2025-70141

SourceCodester Customer Support System 1.0 contains an incorrect access control vulnerability in ajax.php. The AJAX dispatcher does not enforce authentication or authorization before invoking administrative methods in adminclass.php based on the action parameter. An unauthenticated remote attacke...

Security update for python3

This update for python3 fixes the following issues: Security fixes: CVE-2025-4517: Fixed arbitrary filesystem writes outside the extraction directory during extraction with filter="data" bsc1244032 CVE-2025-4330: Fixed extraction filter bypass for linking outside extraction directory bsc1244060...

CVE-2025-12449

CVE-2025-12449 (aBlocks – Gutenberg Blocks, WordPress Plugin) The vulnerability arises from missing capability checks on multiple AJAX actions in the aBlocks WordPress plugin (versions up to 2.4.0). This allows authenticated users with subscriber level access and above to modify data and disclose...

MAL-2025-189072 Malicious code in radiometric-proxima-ophiuchus-bellatrix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42e4cebbe5b73c636c28c777ed6499e4fb906fcc3ffa5a700a0f16cd85821770 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in void-uglify-warn-export-zero (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a289220d5fd74e336a5702c92af3412df6ca9b1feea3e4847d79f92987df0c7e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-184738 Malicious code in oloc-yg-uthgai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30d5540f0b83deeb125d6796db3e6d0d52c2c6873fdfba379bdae72536f52f9f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in kisut-diufg-danuamffoa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce5760eae659fba47723d88f4ec100f4cf544f5522f5f2dcb17e7c4e6ccccc9b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in @akunsansan0/karedok10 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 760fc35764b8672f159948588133673e83cadc18879c568c392864d3b7e9199c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-181177 Malicious code in @akunsansan0/batu13 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 30b835595d79d352ff2f989dc04be6ed4e61d405c4ab31ea6ccb50502a1a1891 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in teate-thy-sonic-afucug (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f6b64423df5b6c94eb87ba08f7f9736ccf745a8843ef006f173b25898efa6d5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in teate-thy-sonic-ifza (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bd5e00ab354d822596f6e38d5719546b78591deef69be645056072e16a487f35 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-180736 Malicious code in teate-thy-sonic-nesba (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce4266381f4bd8f22e37d6a50ceab8021f24544df121cb054aaae0cd7ddbce3d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...