CVE-2026-11860 Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

CVE-2026-2399

CVE-2026-2399 describes a Path Traversal flaw (CWE-22) that can cause critical files to be overwritten with text data when a Web Admin user alters the POST /REST/upssleep payload. The vulnerability arises from improper limitation of a pathname to a restricted directory. Impact per the provided me...

CVE-2019-25320

E Learning Script 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard without valid credentials by manipulating login parameters. Attackers can exploit the /login.php file by sending a specific payload '=''or' to bypass authentication and gain...

GHSA-G5GC-H5HP-555F Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State

Summary Description A Mass Assignment CWE-915 vulnerability in AdonisJS Lucid may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or...

GHSA-2MWC-H2MG-V6P8 Bagisto has HTML Filter Bypass that Enables Stored XSS

Summary A stored Cross-Site Scripting XSS vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be...

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature via the createVerify function when using HS256 HMAC algorithms and incorporating user-provided data from the JSON Web Signature Protected Header or Payload in HMAC secret lookup routines...

MAL-2025-184544 Malicious code in mokok-lukni-huj (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83c6dc8e09e5dc00feb7c42dc7cd7ae8d5aa0c483d4e8a3cd1bec073ef2779dc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in fajar-kue44-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0d9180898f21d61caa97e2565cf9fbe6f64a4b5499830712dc6d251e40fe984 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-64323 Malicious code in molecular_caterpillar_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 690e1cea006dd78ba30e9b8ae1a8c20674b6ffbbdd3f906a3f772ba1224091f7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-24588

Malicious code in bioql PyPI...

GHSA-33XW-247W-6HMC BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

Summary A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in the latest versionv1.4.2 of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. Details It exists an unsafe code segment in serde.py: Python def...

BentoML Allows Remote Code Execution (RCE) via Insecure Deserialization

Summary A Remote Code Execution RCE vulnerability caused by insecure deserialization has been identified in the latest versionv1.4.2 of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. Details It exists an unsafe code segment in serde.py: Python def...

GHSA-7852-W36X-6MF6 Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the...

PT-2024-40153 · Laravel · Laravel Encrypter

Name of the Vulnerable Software and Affected Versions: Laravel Encrypter affected versions not specified Description: The issue affects the Laravel Encrypter component, potentially causing decryption failure and returning false. An attacker can exploit this by manipulating the encrypted payload...

USN-6294-2: HAProxy vulnerability

USN-6294-1 fixed vulnerabilities in HAProxy. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the paylo...

USN-6294-2 haproxy vulnerability

USN-6294-1 fixed vulnerabilities in HAProxy. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the paylo...

USN-6294-1 haproxy vulnerability

Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions...

USN-6294-1: HAProxy vulnerability

Ben Kallus discovered that HAProxy incorrectly handled empty Content-Length headers. A remote attacker could possibly use this issue to manipulate the payload and bypass certain restrictions...

CVE-2023-29105

A vulnerability has been identified in SIMATIC Cloud Connect 7 CC712 All versions = V2.0 = V2.0 V2.1, SIMATIC Cloud Connect 7 CC716 All versions V2.1. The affected device is vulnerable to a denial of service while parsing a random non-JSON MQTT payload. This could allow an attacker who can...