CVE-2026-42400

CVE-2026-42400 affects Kibana with Uncontrolled Resource Consumption (CWE-400). An authenticated user can send a specially crafted compressed request payload that is processed before authorization checks, causing excessive memory and CPU usage and potentially making the Kibana instance unresponsi...

EUVD-2026-33030

Uncontrolled Resource Consumption CWE-400 in Kibana can lead to denial of service via Excessive Allocation CAPEC-130. An authenticated user can send a specially crafted compressed request payload that is processed prior to authorization checks, causing excessive memory and CPU resource consumptio...

📄 FUXA 1.2.9 Remote Code Execution

FUXA versions 1.2.9 and below suffers from an unauthenticated path traversal vulnerability that leads to arbitrary file write that enables remote code execution. Exploit Title: FUXA 1.2.9 - RCE Date: 4/24/2026 Exploit Author: Anthony Cihan Hann1bl3L3ct3r Vendor Homepage:...

GHSA-7V3R-M9C8-R855 Gotenberg's ExifTool group-prefix syntax bypasses dangerous-tag blocklist

Summary The ExifTool metadata write blocklist in Gotenberg v8 can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. This is a bypass of the fix for GHSA-qmwh-9m9c-h36m. Details The blocklist in...

Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field

Executive Summary A vulnerability has been found in Dgraph that gives an unauthenticated attacker full read access to every piece of data in the database. This affects Dgraph's default configuration where ACL is not enabled. The attack is a single HTTP POST to /mutate?commitNow=true containing a...

CVE-2026-39987

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSock...

Marimo Remote Code Execution Vulnerability

Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands...

Bouncy Castle Uncontrolled Resource Consumption vulnerability

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all pg modules. This issue affects BC-JAVA before 1.84. Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion...

GHSA-QCC3-JQWP-5VH2 OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Summary LINE webhook handler lacks shared pre-auth concurrency budget before signature verification Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is...

EUVD-2026-14407

An unauthenticated remote attacker can exploit a Pre-Auth blind SQL Injection vulnerability in the userinfo endpoint’s authentication method due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2024-32641

Masa CMS (open source Enterprise Content Management) has a remote code execution vulnerability in addParam that processes the criteria input and is evaluated by setDynamicContent, enabling unauthenticated code execution via the m tag. Affected versions are before 7.2.8, 7.3.13, and 7.4.6. Patches...

PT-2025-48817

Name of the Vulnerable Software and Affected Versions React Server Components versions 19.0.0 through 19.2.0 Description A pre-authentication remote code execution issue exists in React Server Components, specifically affecting the react-server-dom-parcel, react-server-dom-turbopack, and...

EUVD-2025-29248

Flowise through v3.0.4 is vulnerable to remote code execution via unsanitized evaluation of user input in the "Supabase RPC Filter" field...

EUVD-2022-51192

Malicious code in bioql PyPI...

EUVD-2022-51190

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-6710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of...

CVE-2025-7382

A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 21.0.2 can lead to adjacent attackers achieving pre-auth code execution on High Availability HA auxiliary devices, if OTP authentication for the admin user is enabled...

CVE-2022-48496

Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized...

CVE-2022-48494

Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized...

PT-2024-13615 · Shrubbery · Tac Plus

Name of the Vulnerable Software and Affected Versions: Shrubbery tac plus versions 2.x through 4.x and versions up to F4.0.4.28 Description: The issue allows unauthenticated Remote Command Execution. It is caused by the product's ability to configure authorization checks as shell commands through...