CVE-2026-35394

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls...

GHSA-5QHV-X9J4-C3VM @mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Summary The mobileopenurl tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. Details The vulnerable code pass...

CVE-2025-67848

A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability LTI Provider. The issue arises from the LTI authentication handlers failing to enforce the user's suspension status, enabling unauthorized access...

EUVD-2021-26019

Malware in sbrugna...

EUVD-2021-12395

Malware in sbrugna...

EUVD-2023-25634

Malicious code in bioql PyPI...

EUVD-2024-37708

Malicious code in bioql PyPI...

EUVD-2023-48488

Malicious code in bioql PyPI...

GHSA-RCW7-PQFP-735X secrets-store-sync-controller discloses service account tokens in logs

Hello Kubernetes Community, A security issue was discovered in secrets-store-sync-controller where an actor with access to the controller logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vau...

CVE-2024-47077

authentik is an open-source identity provider. Prior to versions 2024.8.3 and 2024.6.5, access tokens issued to one application can be stolen by that application and used to impersonate the user against any other proxy provider. Also, a user can steal an access token they were legitimately issued...

kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

Impact The APIExport Virtual Workspace can be used to manage objects in workspaces that bind that APIExport for resources defined in the APIExport or specified and accepted via permission claims. This allows an API provider via their APIExport scoped down access to workspaces of API consumers to...

CVE-2024-13041

Summary: CVE-2024-13041 affects GitLab CE/EE versions with SAML user creation where the external groups setting overrides the external provider configuration, potentially allowing internal project/group access to non-external users. Affected versions (per sources): GitLab 16.4 up to 17.5.5 (pre-1...

CVE-2024-11358 Insecure Android File Provider Paths

Mattermost Android Mobile Apps versions =2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider...

CVE-2024-11358 Insecure Android File Provider Paths

Mattermost Android Mobile Apps versions =2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider...

CVE-2023-38048

CVE-2023-38048 affects Easy!Appointments (older releases) via a BOLA vulnerability in GET, PUT, DELETE /providers/{providerId}, enabling a low-privileged user to fetch, modify, or delete a privileged provider account. The vulnerability is described consistently across sources as an insecure autho...

CVE-2024-3744

A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access secrets stored in cloud vault solutions. Tokens are only logged whe...

CVE-2023-44129

Summary: CVE-2023-44129 affects LG-patched Android Messaging (com.android.mms) via the exported activity com.android.mms.ui.QClipIntentReceiverActivity. An attacker can trigger the activity, broadcast the action com.lge.message.action.QCLIP, and send their own data with Intent.FLAG_GRANT_*; the p...

CVE-2022-38697

In messaging service, there is a missing permission check. This could lead to access unexpected provider in contacts service with no additional execution privileges needed...

CVE-2021-25499

Intent redirection vulnerability in SamsungAccountSDKSigninActivity of Galaxy Store prior to version 4.5.32.4 allows attacker to access content provider of Galaxy Store...

CVE-2021-25320 Rancher: Cloud credentials can be used through proxy API by users without access

A Improper Access Control vulnerability in Rancher, allows users in the cluster to make request to cloud providers by creating requests with the cloud-credential ID. Rancher in this case would attach the requested credentials without further checks This issue affects: Rancher versions prior to...