7910 matches found
Linux Distros Unpatched Vulnerability : CVE-2026-46161
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - md/raid10: fix divide-by-zero in setupgeo with zero farcopies setupgeo extracts nearcopies nc and farcopies fc from the user-provided layout parameter without...
CVE-2026-45344
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...
CVE-2026-46161
A flaw was found in the Linux kernel's md/raid10 module. This vulnerability allows a local user to trigger a divide-by-zero error within the setupgeo function by supplying a malformed layout parameter where the farcopies value is set to zero. Successful exploitation of this flaw can lead to a...
CVE-2026-46171
A flaw was found in the Linux kernel's Kernel-based Virtual Machine KVM for RISC-V architecture. This vulnerability occurs when a second memory allocation fails during the vector context setup, causing a previously allocated memory block to be leaked. Over time, repeated occurrences of this issue...
CVE-2026-45344 LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...
CVE-2026-45344 LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...
EUVD-2026-33054
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...
CVE-2026-45344
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...
CVE-2026-45344
LinkAce suffers a pre-auth RCE via setup flow on uninitialized instances. Before version 2.5.6, the setup database configuration flow accepts attacker-controlled database credentials and writes them into the .env file without proper escaping. A remote attacker who can reach the setup endpoints an...
MAL-2026-4861 Malicious code in lib-1779997093-yjeeqn (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 adfe3f8b85f731f407f8da6669a76b821b042e4ea1f2fd8fcfddf3293c2ca697 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
Malicious code in lib-1779997093-yjeeqn (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 adfe3f8b85f731f407f8da6669a76b821b042e4ea1f2fd8fcfddf3293c2ca697 During installation, the package opens a reverse shell --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...
CVE-2026-45332
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...
CVE-2026-45332 Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...
CVE-2026-45332
Affected software: Automad (flat-file CMS/template engine). Vulnerability: Broken Access Control allowing an unauthenticated attacker to retrieve bcrypt password hashes of all administrator accounts (and, in 2.0.0-beta.27, TOTP secrets) via the publicly accessible /_api/user-collection/create-fir...
EUVD-2026-32980
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...
CVE-2026-45332
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcrypt password hash of every administrator account with a single POST request. The...
CVE-2026-34126
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth rang...
MAL-2026-4859 Malicious code in telethon-pro-safe (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8bc2e515c2eb7bf73ea5d532cfb6701dcaf3dd95e9d8248ee3d426b1d0c1ed8c During installation, package executes obfuscated code that starts a RAT-like software allowing remote control and exfiltrating sensitive data. --- Category:...
CVE-2026-34126
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth rang...
CVE-2026-34126 Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext without encryption. Bluetooth is only used during initialization. An attacker within the Bluetooth rang...