EUVD-2026-36991

Subscriber Broken Access Control in ChatBot = 7.9.7 versions...

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

PT-2026-49426

Subscriber Broken Access Control in ChatBot = 7.9.7 versions...

CVE-2026-50552

Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...

EUVD-2026-36546

Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery SSRF vulnerability in the radio station creation endpoint POST /api/radio/stations. The url field validation rules are declared without the bail keyword, so the...

EUVD-2026-31981

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

CVE-2026-44449

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

PT-2026-43401

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, when the primary toSmbPathfullPath call throws, the method falls back to a dirname/basename split and only validates the directory prefix. The basename is concatenated directly into the smbclient -c script without validation...

OpenCTI 访问控制错误漏洞

OpenCTI is an open-source network threat intelligence platform developed by OpenCTI. Versions of OpenCTI prior to 6.9.7 contained a access control vulnerability. This vulnerability stemmed from incorrect Access Control Lists ACLs when users were editing relationship additions, potentially allowin...

PT-2026-43350

Name of the Vulnerable Software and Affected Versions OpenCTI versions prior to 6.9.7 Description An organization administrator can escalate their privileges by adding a user from a different organization who possesses higher privileges into their own organization. This occurs due to an incorrect...

CVE-2026-44504 Aegra: Cross-user run injection in /threads/{thread_id}/runs (IDOR)

Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, given another user's threadid, can execute graph runs against the user's thread, read the user's full...

Oracle Linux 8 : libxml2 (ELSA-2026-11349)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-11349 advisory. - Fix CVE-2025-9714 RHEL-119279 - Fix CVE-2025-32415 RHEL-100177 - Fix CVE-2025-7425 RHEL-102797 - Fix CVE-2025-6021 RHEL-96498 - Fix CVE-2025-49794 RHEL-96398...

CVE-2026-40740

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.7...

CVE-2026-40740

Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.7...

CVE-2026-30778

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-30778

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-3358

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing poststatus validation in the enrollnow and courseenrollment functions. Both enrollment endpoints...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.11) potentially affected by CVE-2026-39381 via parse-server (>=9.6.0-alpha.37 <=9.7.0)

parse-server NPM version =9.6.0-alpha.37, =4.0.0, =4.0.11 Source cves: CVE-2026-39381 Source advisory: SNYK:JS-PARSESERVER-15928862...

EUVD-2026-17504

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value...

CVE-2026-34574 Parse Server: Session field immutability bypass via falsy-value guard

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the...