384 matches found
CVE-2026-32718
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, mutating API validation endpoints are guarded by read ability, allowing read-scoped API tokens to perform state-changing operations such as validating cloud tokens and...
GO-2026-5402 SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs in github.com/siyuan-note/siyuan/kernel
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs in github.com/siyuan-note/siyuan/kernel...
CVE-2026-47261
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 pathopen interfaces by...
CVE-2026-41327
Dgraph is an open source distributed GraphQL database. Prior to 25.3.3, a vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a...
wasmtime-wasi: WASI path_open(TRUNCATE) bypasses `FilePerms::WRITE` host restriction
Summary In wasmtime-wasi, when a filesystem preopen is given DirPerms::all and FilePerms::READ without FilePerms::WRITE, this wasmtime-wasi enforced access control mechanism can be bypassed by using the wasip2 descriptor.open-at or wasip1 pathopen interfaces by opening a file with...
EUVD-2026-30360
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any...
CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST...
CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST...
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
Summary SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST...
PT-2026-35031
Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3 Description An issue exists in Dgraph that allows an unauthenticated attacker to gain full read access to all data in the database. This occurs in the default configuration where Access Control Lists ACL are...
CVE-2026-35620 OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...
CVE-2021-28860
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate and merge functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential...
MAL-2025-187065 Malicious code in fusion-inflation-dactyl-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector afd7df62b134bcc7afb6138cd72c0148fe9828de23d7012fa0e5c0c2047e9063 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189516 Malicious code in sirius-lynx-antares-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe1b1189742e5aae02454df7ad46c469deecbe1d18ea01b1feb3d6b00b7c548d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188454 Malicious code in optimize-double-nu-cluster-function (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9b98723aa7741d128b3d9fe5fff42be8f635f757b1c6bf032d86eed998a8200 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in cosmochemistry-lacerta-magnetosphere-reveal-md (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08d0d5db9b30a391c486f37cb6ced3a4f296a525efa9c588f34a6a3845fe226e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in meta-code-debug-key-old (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c44349ff42d4f48dca55e6eede52c18fd580f1050b7cfe7ef57d36b8602a3fc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in archaeogenetics-csrf-aquarius-perturbation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3bf298157c040760bce94b452e888389305beacf18b29f6f82b92ab32890e45 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189918 Malicious code in thread-compile-parse-decrypt-air (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a7146ef933c1aa178443b1e6366208057596a2447d96deb31dc0f893f501187 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in bad-transpile-xml-signal-cache (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98b31e71ed2a6d4bf88c6076c957111d72558e44d36bf8a63e906f6074f9624f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...