CVE-2024-1524 A local user can be impersonated when using federated authentication with Silent JIT Provisioning.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider IDP there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will...

CVE-2025-68930

Traccar open-source GPS tracking system versions up to 6.11.1 are affected by a Cross-Site WebSocket Hijacking (CSWSH) in the /api/socket endpoint. The vulnerability arises from the application not validating the Origin header during the WebSocket handshake, allowing an attacker to bypass Same-Or...

CVE-2025-67733

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

PT-2026-21550

Name of the Vulnerable Software and Affected Versions Traccar versions up to and including 6.11.1 Description The Traccar GPS tracking system is susceptible to a Cross-Site WebSocket Hijacking CSWSH issue. The application does not properly validate the Origin header during the WebSocket handshake...

CVE-2026-24455

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...

CVE-2026-24455

The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network...

Notepad++ Fixes Hijacked Update Mechanism Used to Deliver Targeted Malware

Notepad++ has released a security fix to plug gaps that were exploited by an advanced threat actor from China to hijack the software update mechanism to selectively deliver malware to targets of interest. The version 8.9.2 update incorporates what maintainer Don Ho calls a "double lock" design th...

PT-2026-20350

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.13 @openclaw/bluebubbles versions prior to 2026.2.13 Description The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based solely on the TCP peer address being...

CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation

LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option enabled by default is intended to restrict crawling to the same site...

CVE-2025-11004

The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...

CVE-2026-25880

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary explorer.exe located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s...

CVE-2025-11004 Reflected XSS vulnerability in Simplicity Device Manager tool

The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...

CVE-2025-11004

The vulnerability CVE-2025-11004 is a reflected XSS in several API endpoints of the Simplicity Device Manager Tool. An attacker on the same network can exploit the issue, potentially affecting confidentiality, integrity, and availability of the system hosting the tool. The CVSS v4.0 vector indica...

PT-2026-31534

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.55 Description A flaw exists in Google Chrome's handling of WebSockets due to insufficient validation of untrusted input. A remote attacker who has compromised the renderer process can bypass the same...

PT-2026-7267

The Simplicity Device Manager Tool has a Reflected XSS Cross-site-scripting vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack. These APIs can affect confidentiality, integrity, and availability of the system that has Simplicity Device...

CVE-2026-25880

SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, the PDF reader allows execution of a malicious binary explorer.exe located in the same directory as the opened PDF when the user clicks File → “Show in folder”. This behavior leads to arbitrary code execution on the victim’s...

sumatrapdf 代码问题漏洞

Sumatrapdf is an open-source PDF reader developed by SumatraPDF Reader. Versions of SumatraPDF 3.5.2 and earlier have code vulnerabilities. These vulnerabilities stem from the PDF reader allowing execution of malicious binary files located in the same directory as the opened PDF, potentially...

CVE-2026-2103 Use of Hard-Coded Cryptographic Key for Password Storage

Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt a...

OESA-2026-1285 thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: Use-after-free in the WebRTC: Signaling component. This vulnerability affects Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.CVE-2025-14321 Sandbox escape due to incorrect boundary conditions in...

CVE-2026-25161

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal...