ROOT-APP-PYPI-CVE-2023-25691 CVE-2023-25691 in rootio-apache-airflow-providers-google - Patched by Root

Root has patched CVE-2023-25691 in the rootio-apache-airflow-providers-google package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2023-25692 CVE-2023-25692 in rootio-apache-airflow-providers-google - Patched by Root

Root has patched CVE-2023-25692 in the rootio-apache-airflow-providers-google package for Root:PyPI. Multiple fixed versions available...

ROOT-APP-PYPI-CVE-2025-30473 CVE-2025-30473 in rootio-apache-airflow-providers-common-sql - Patched by Root

Root has patched CVE-2025-30473 in the rootio-apache-airflow-providers-common-sql package for Root:PyPI. Multiple fixed versions available...

Multiple Node.js Modules compromised in npm supply chain attack (Shai-Hulud 'Miasma') (06/01/2026)

The remote host has a version of one or more Node.js modules installed known to be compromised in the Shai-Hulud 'Miasma' npm supply chain attack reported on 06/01/2026. This wave compromised 32 packages 96 versions published under the '@redhat-cloud-services' npm scope. It is tracked separately...

CVE-2026-0016

In updateProvidersWhenServiceRemoved of CredentialManagerService.java, there is a possible way to override settings across users due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

NextCloud user_oidc: Authorization issue vulnerability

Nextcloud useroidc is an application developed by the German company Nextcloud. There were authorization issues in versions of Nextcloud useroidc between 0.3.0 and 3.1.0, as well as between 5.0.0 and 5.1.0, and between 6.0.0 and 6.4.0. This issue stemmed from a lack of User OIDC signature...

BIT-NEO4J-2026-1524 Auth misconfiguration when multiple providers enabled

An edgecase in SSO implementation in Neo4j Enterprise edition versions prior to version 2026.02 can lead to unauthorised access under the following conditions: If a neo4j admin configures two or more OIDC providers AND configures one or more of them to be an authorization provider AND configures...

EUVD-2026-32943

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the emailverified claim from upstream providers; the idp.UserInfo struct does not even...

CVE-2026-9092 CVE-2026-9092

Casdoor versions 2.362.0 and earlier contain a vulnerability involving unverified email binding that may enable account takeover. The getExistUserByBindingRule function matches users by email without checking the emailverified claim from upstream providers; the idp.UserInfo struct does not even...

CVE-2026-9092

Casdoor, versions 2.362.0 and earlier, contains a vulnerability in the binding logic: the getExistUserByBindingRule function matches users by email without validating the email_verified claim from upstream providers, and the idp.UserInfo struct does not include an EmailVerified field. This can al...

Improper Handling of Insufficient Permissions or Privileges

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges in the org.keycloak.protocol.oidc component when...

How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts?

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings...

SUSE CVE-2022-32223

Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine: OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf”...

PT-2026-42826

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2025.12.5 authentik versions 2026.2.0-rc1 through 2026.2.2 Description Authenticated non-admin users possessing at least one OAuth2 access token can retrieve the client secret of confidential OAuth2 providers they...

Malicious code in create-kachow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65b2deeeafefb22b81e6a863b51115953b108991e5462d939dce3d6b8ee4a97 bin/create-kachow.js declares a BUILTINKEYS object containing live API keys for four third-party AI providers Gemini key starting...

MAL-2026-4539 Malicious code in create-kachow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b65b2deeeafefb22b81e6a863b51115953b108991e5462d939dce3d6b8ee4a97 bin/create-kachow.js declares a BUILTINKEYS object containing live API keys for four third-party AI providers Gemini key starting...

CVE-2026-41947

Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...

CVE-2026-41947

Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...

CVE-2026-41947 Dify < 1.14.2 Authorization Bypass via Trace Configuration Endpoints

Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...

CVE-2026-41947 Dify < 1.14.2 Authorization Bypass via Trace Configuration Endpoints

Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to...