GHSA-W7PM-9G55-MXFM stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment

Impact A single configuration flag could disable plugin signature enforcement. If an operator unintentionally carried that setting into an environment where plugin paths are writable by less-trusted users, unsigned plugin code could be loaded. Patches Patched in 0.9.0a2. Disabling plugin signatur...

CVE-2026-45574 epa4all-client: TLS Certificate Validation Disabled in Production

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate self-signed, expired, wrong CN and intercept all SOAP traffic. This includes patient...

CVE-2025-8325 Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations

The software fails to enforce role-based access controls for certain Gateway API invocations. Users with the 'Internal/Everyone' role can invoke these APIs, bypassing intended permission checks. This same vulnerability also affects Internal Service APIs, potentially exposing them in WSO2 APIM 3.x...

PT-2026-39584

Name of the Vulnerable Software and Affected Versions WSO2 APIM versions 3.x Description The software fails to enforce role-based access controls for certain Gateway API and Internal Service API invocations. Users assigned the 'Internal/Everyone' role can invoke these APIs, bypassing intended...

Why Most AI Deployments Stall After the Demo

The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds. It feels like the beginning of a new era for your team. But most AI initiatives don't fail because of bad technology. They stall...

GHSA-PM7Q-RJJX-979P Oxia exposes bearer token in debug log messages on authentication failure

Summary When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system. Impact An attacker with access to application logs e.g., via a...

SUSE CVE-2026-27969

Vitess is a database clustering system for horizontal scaling of MySQL. Prior to versions 23.0.3 and 22.0.4, anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that files in the manifest - which may be files that they have also...

Siemens SINEC Security Monitor 安全漏洞

SINEC Security Monitor is a modular network security software for passive, non-intrusive, continuous network security monitoring during production at customer premises. Siemens SINEC Security Monitor suffers from an information disclosure vulnerability that can be exploited by attackers to obtain...

Vitess users with backup storage access can write to arbitrary file paths on restore

Impact Anyone with read/write access to the backup storage location e.g. an S3 bucket can manipulate backup manifest files so that files in the manifest — which may be files that they have also added to the manifest and backup contents — are written to any accessible location on restore. This is ...

CVE-2026-27965

Vitess CVE-2026-27965 affects versions older than 23.0.3 and 22.0.4, where read/write access to backup storage (e.g., S3) lets an attacker modify backup manifest files and cause arbitrary code to run when the backup is restored, potentially gaining unauthorized access to production. A patch exist...

TruConfirm: Autonomous, Agent-Led, Safe Exploit Validation for Real-World Risk Reduction

Key Takeaways CISOs still can’t answer the only question that matters: Is this exposure exploitable on this asset, in our production environment, against our controls, right now? The vulnerability firehose broke the old model: With 48,177 CVEs published in 2025, “critical” lists are too large to...

PT-2026-1700

Name of the Vulnerable Software and Affected Versions WebConsole affected versions not specified Description The Report Builder component stores user input directly into a web page and displays it to other users, potentially leading to a Cross-Site Scripting XSS attack. The scripts are executed...

CVE-2025-65110

A flaw was found in Vega, a library used for creating interactive data visualizations. This vulnerability affects applications that expose the Vega library globally and process user-provided visualization definitions. A remote attacker could exploit this by convincing a user to open a specially...

MAL-2025-192594 Malicious code in prod-natwest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd39817ff9b18b049493c5014a7a0d4f69bd3cf2f4f2a2aebff64453e6ca7519 The package prod-natwest was found to contain malicious code. Source: ghsa-malware efa89a8af6324d2f6726e938c72b64a0b9a1ffbe7788455e95c7ff05752aba50 A...

CVE-2025-64746

Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This...

CVE-2025-64746

Directus before 11.13.0 improperly cleans up field-level permissions when a field is deleted. A stale permission reference remains in the permissions table; if a new field with the same name is created, it inherits those outdated permissions, potentially granting access to data users should not r...

EUVD-2020-0273

Malware in sbrugna...

EUVD-2023-2754

Malicious code in bioql PyPI...

Cross-site Request Forgery (CSRF)

Overview @apollo/explorer is a This repo hosts the source for Apollo Studio's Embeddable Explorer Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via missing origin validation in the window.postMessage process. An attacker can execute unauthorized GraphQL queri...

Do Not Install the rsync Service

The rsync service can synchronize data between servers or between local drive partitions. However, information leakage risks exist because rsync uses non-encrypted transmission protocols. If the rsync service is enabled and data is transmitted between servers over the network, attackers can...