Lucene search
K

601 matches found

Positive Technologies
Positive Technologies
added 2026/05/19 12:0 a.m.12 views

PT-2026-41970

Name of the Vulnerable Software and Affected Versions Algernon versions prior to 1.17.7 Description When Algernon is started with a single file path instead of a directory, the singleFileMode is enabled, which forcibly activates debugMode. This configuration enables the PrettyError renderer, whic...

7.5CVSS5.8AI score0.00303EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/18 12:59 p.m.17 views

iskorotkov/avro: Denial-of-Service Vulnerability in Decoder

Memory Exhaustion via Unbounded Map Allocations in Avro Decoder Summary The Avro map decoder accepted attacker-controlled block-element counts from the wire format and grew the destination map without enforcing an upper bound. The slice decoder already had Config.MaxSliceAllocSize for the...

7.5CVSS7.1AI score0.00797EPSS
Exploits1References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/14 6:25 p.m.16 views

dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

6AI score0.00042EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/14 6:25 p.m.10 views

GHSA-JJ54-R8GM-2FCF dbt MCP Server Transmits All MCP Tool Arguments Including Raw SQL and --vars Credentials to dbt Labs Telemetry by Default Without Redaction

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emittoolcalledevent in src/dbtmcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbatim to...

3.1CVSS6AI score0.00042EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.19 views

PT-2026-41150

Discovered through manual source code review. Verified by PoC execution against a local dbt-mcp v1.15.1 installation. Summary DefaultUsageTracker.emit tool called event in src/dbt mcp/tracking/tracking.py serializes the complete arguments dictionary of every MCP tool call and transmits it verbati...

3.1CVSS6.1AI score0.00042EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/05/13 6:55 a.m.13 views

Android Adds Intrusion Logging for Sophisticated Spyware Forensics

Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode, enables "persistent and privacy-preserving forensics logging to allow for...

5.9AI score
Exploits0
OSV
OSV
added 2026/05/12 7:42 a.m.6 views

MAL-2026-3679 Malicious code in @2oolkit/hyperliquid-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c3af30011dcf54950f270463028270d732fce20b5cd5da44342a0748922e6df The package is advertised as a neutral CLI/MCP wrapper for Hyperliquid, but its distributed code silently routes value from the installer to an...

5.9AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/12 7:41 a.m.15 views

Malicious code in guan (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e04a9a658bc7616e72a5edf276dd049e5b697f2492c46929caf2e01fac95d84 The top-level src/guan/init.py unconditionally calls statisticsofguanpackage on every import guan. That function in src/guan/others.py opens a raw TC...

5.8AI score
Exploits0References2
OSV
OSV
added 2026/05/11 6:31 p.m.5 views

GHSA-9J32-3M66-MC4M Duplicate Advisory: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2xcp-x87w-q377. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the...

6.3CVSS5.7AI score0.00279EPSS
Exploits0References5
NVD
NVD
added 2026/05/11 6:16 p.m.21 views

CVE-2026-45002

OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls...

6.3CVSS0.00279EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/05/07 12:0 a.m.7 views

Fedora 44 : gh (2026-5df889949e)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-5df889949e advisory. Update to 2.92.0 and make telemetry sending opt in. Tenable has extracted the preceding description block directly from the Fedora security advisory...

6.1CVSS5.9AI score0.00287EPSS
Exploits0References3
OSV
OSV
added 2026/04/30 7:30 p.m.2 views

JLSEC-2026-372

A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handleopt of the file /src/netbuiltin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The...

6.9CVSS5.4AI score0.00565EPSS
Exploits1References5
Patchstack
Patchstack
added 2026/04/25 11:45 p.m.6 views

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

5.8AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/04/25 11:45 p.m.6 views

GHSA-2XCP-X87W-Q377 OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when...

6.9CVSS5.9AI score0.00279EPSS
Exploits0References5
CVE
CVE
added 2026/04/25 4:15 p.m.16 views

CVE-2026-6985

CVE-2026-6985 affects Cesanta Mongoose up to 7.20, specifically the TCP Option Handler’s handle_opt in /src/net_builtin.c. The vulnerability arises from manipulating the argument optlen, which can cause an infinite loop. It is described as remotely exploitable, and an exploit has been made public...

7.5CVSS5.6AI score0.00565EPSS
Exploits1References5Affected Software1
Debian CVE
Debian CVE
added 2026/04/25 4:15 p.m.5 views

CVE-2026-6985

A weakness has been identified in Cesanta Mongoose up to 7.20. This vulnerability affects the function handleopt of the file /src/netbuiltin.c of the component TCP Option Handler. This manipulation of the argument optlen causes infinite loop. The attack is possible to be carried out remotely. The...

7.5CVSS5.4AI score0.00565EPSS
Exploits1
Github Security Blog
Github Security Blog
added 2026/04/24 8:43 p.m.13 views

wlc: print_html outputs API data without HTML escaping

Impact The HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting when the output is rendered in a browser. Patches https://github.com/WeblateOrg/wlc/pull/1327 Workarounds The only vulnerable code path is HTML output which is opt-in. Reference...

5.1CVSS4.9AI score0.00174EPSS
Exploits0References6Affected Software1
Packet Storm News
Packet Storm News
added 2026/04/18 12:0 a.m.4 views

Global Web, Local Privacy? an International Review of Web Tracking

Web tracking by ad networks, social networks, and other third parties is privacy-invasive. To protect users' privacy an increasing number of countries are adopting new privacy laws. However, a major reason why their application on the web is so challenging is that privacy laws are local while the...

5.8AI score
Exploits0
CNVD
CNVD
added 2026/04/16 12:0 a.m.5 views

D-Link DI-8003 Buffer Overflow Vulnerability (CNVD-2026-17623)

The D-Link DI-8003 is a wireless router from China-based AUO D-Link. The D-Link DI-8003 suffers from a buffer overflow vulnerability that stems from the s parameter in the pppoelistopt.asp endpoint failing to properly validate the length size of the input data, which can be exploited by an attack...

7.5CVSS6.1AI score0.00516EPSS
Exploits0
Packet Storm
Packet Storm
added 2026/04/13 12:0 a.m.75 views

📄 Pachno 1.0.6 Cross Site Request Forgery

Pachno version 1.0.6 suffers from a cross site request forgery vulnerability. Pachno 1.0.6 Cross-Site Request Forgery Vendor: Daniel André Eikeland Product web page: https://github.com/pachno/pachno Affected version: 1.0.6 Summary: Pachno is an open-source collaboration platform formerly known as...

5.2AI score
Exploits0
Rows per page
Query Builder