CVE-2026-24755

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource...

CVE-2026-6376 Missing authentication for critical function in SpiceJet Online Booking System

A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of extensive personal, travel, and booking metadata to any unauthenticated user...

CVE-2026-40259

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model...

PT-2026-27232

Security Advisory — Page Content Retrieval Improper Authorization Summary An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Affected Versions - 1.x series: = 1.41.0 - 2.x series: = 2.41.0 Patched Versions - 1.41.1 - 2.41.1...

The Iranian Cyber Capability 2026

The Iranian Cyber Capability 2026 By John Fokker and Ernesto Fernández Provecho · March 5, 2026 Introduction In 2024, we published an assessment of the Islamic Republic of Iran’s cyber capabilities, outlining the structure, tradecraft, and strategic intent of Iranian-aligned threat actors. The co...

CVE-2026-24422

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

Directory Traversal

Overview gapless-crypto-data is a Cryptocurrency OHLCV data collection with gap-free guarantee. Retrieves microstructure-enriched kline data from Binance Public Data Repository with automatic gap detection and filling. Affected versions of this package are vulnerable to Directory Traversal due to...

Password Strength Analysis through Social Network Data Exposure: A Combined Approach Relying on Data Reconstruction and Generative Models

Although passwords remain the primary defense against unauthorized access, users often tend to use passwords that are easy to remember. This behavior significantly increases security risks, also due to the fact that traditional password strength evaluation methods are often inadequate. In this...

EUVD-2018-1384

Malware in sbrugna...

EUVD-2022-52762

Malicious code in bioql PyPI...

CVE-2025-27238 API hostprototype.get lists data to users with insufficient authorization.

Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them...

PT-2025-36741

Name of the Vulnerable Software and Affected Versions: Open5GS versions prior to 2.7.3 Description: An issue in Open5GS allows a remote attacker to cause a denial of service by sending a crafted Create Session Request message to the SMF PGW-C, utilizing the IP address of a legitimate UE in the PD...

National Public Data Relaunches Despite 2.9 Billion SSNs Breach

It is business as usual at National Public Data NPD despite the breach that exposed 3 billion Social Security numbers and the subsequent leak...

National Public Data returns after massive Social Security Number leak

Remember that data broker nobody had ever heard of, but managed to leak a database which contained the data of some 2.9 billion people? It's back, and this time with a search function. National Public Data suffered an alleged breach in 2024 against a data base that, it turned out, carried 272...

AllVideoPocsFromHackerOne

This is an offensive tool for retrieving public reports from HackerOne, a bug bounty platform. The tool, named "AllPocsFromHackerOne," is designed to grab public reports from HackerOne and categorize vulnerabilities by technique. It appears to be a Python script that utilizes the HackerOne API to...

PT-2025-30983 · Undefined · Undefined

@Austen CVE-2025-55021: Unrestricted Access To Public, Open Data Via Web Browser and URL...

Yet Another Strava Privacy Leak

This time it's the Swedish prime minister's bodyguards. Last year, it was the US Secret Service and Emmanuel Macron's bodyguards. in 2018, it was secret US military bases. This is ridiculous. Why do people continue to make their data public?...

Assessing Risk of Stealing Proprietary Models for Medical Imaging Tasks

The success of deep learning in medical imaging applications has led several companies to deploy proprietary models in diagnostic workflows, offering monetized services. Even though model weights are hidden to protect the intellectual property of the service provider, these models are exposed to...

Decentralized COVID-19 Health System Leveraging Blockchain

With the development of the Internet, the amount of data generated by the medical industry each year has grown exponentially. The Electronic Health Record EHR manages the electronic data generated during the user's treatment process. Typically, an EHR data manager belongs to a medical institution...

CVE-2023-34090

Decidim is a participatory democracy framework, written in Ruby on Rails, originally developed for the Barcelona City government online and offline participation website. Decidim uses a third-party library named Ransack for filtering certain database collections e.g., public meetings. By default,...