CVE-2026-54305 n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An...

CVE-2026-12580

CVE-2026-12580 affects Digiwin EasyFlow .NET. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw that permits authenticated remote attackers to inject persistent JavaScript code which executes in users’ browsers when a page loads. Impact is described as allowing the attacker to cause u...

CVE-2026-56276

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

CVE-2026-55201

CVE-2026-55201 affects Evil-WinRM (up to version 3.9). A path traversal in download_dir() can cause the server to generate filenames with traversal sequences from Get-ChildItem output, which are passed unsanitized to File.join(), enabling writes outside the intended download directory. Attackers ...

CVE-2026-48745

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The...

Important: Red Hat Security Advisory: Red Hat OpenShift API for Data Protection

A new version of OpenShift API for Data Protection OADP is now available. OpenShift API for Data Protection OADP enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and...

Malicious code in index-ulid (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5acad250c58c9c27804a14b640d17438998fbaabd43b77c69008c7180014f361 index-ulid impersonates the legitimate ulid/ulidx ULID generator reuses ulid's description and links its homepage to github.com/ulid/javascript but i...

GHSA-RP9W-3FW7-7CWQ DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

CVE-2016-20066 WordPress CP Polls 1.0.8 Persistent Cross-Site Scripting

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary...

EUVD-2026-36702

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...

CVE-2026-44188

Affects Ansible Lightspeed (and Red Hat Ansible Automation Platform context) via insufficient session expiration that allows a valid OAuth token to remain usable after logout, enabling persistent access and unauthorized read of inventories, playbooks, and config data. The connected Red Hat adviso...

CVE-2026-44188 Ansible-lightspeed: ansible lightspeed: session hijacking and unauthorized data access due to insufficient session expiration

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...

CVE-2026-44188

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...

PT-2026-49189

A flaw was found in Ansible Lightspeed. This vulnerability, related to insufficient session expiration, allows a remote attacker to maintain persistent access to the Ansible Lightspeed instance. If an attacker exfiltrates a valid OAuth Open Authorization access token before a user logs out, they...

ROS-20260615-73-0042

The vulnerability of the persistentcachereadentryv3 function in the RDP client FreeRDP is related to buffer overflow in dynamic memory. Exploiting this vulnerability could allow an attacker to compromise the integrity and accessibility of protected information...

PT-2026-49559

If the HTML you give it contains a element, and inside that template there's an element with a shadow DOM attached to it, DOMPurify quietly skips over the shadow contents. Whatever the attacker put in there - an image with an onerror handler, a link with a javascript: URL, even a full script -...

CVE-2026-50101

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...

EUVD-2026-36529

The Naxclow platform API that returns device relay registration details exposes a persistent credential without verifying that the requester is the legitimate device or owner. An actor able to present a platform-valid request signature can retrieve credentials for arbitrary devices and register o...

CVE-2026-50101 Naxclow IoT Platform Not using password aging

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...

CVE-2026-50101 Naxclow IoT Platform Not using password aging

Naxclow devices use a server-side, per-device relay credential that never rotates and is re-issued to the device on each boot. Because this credential remains valid indefinitely and cannot be reset or revoked by the legitimate owner, any party that obtains it through any exposure path can maintai...