Mailpit: Unauthenticated remote memory-exhaustion DoS via unlimited SMTP DATA and /api/v1/send body sizes

Summary The Mailpit SMTP server has a Server.MaxSize int field that controls the maximum allowed DATA payload size, but the field is never assigned anywhere outside test code, leaving it at Go's zero value 0 ⇒ "no limit". The same applies to the HTTP /api/v1/send endpoint, whose request body is...

[SECURITY] Fedora 42 Update: coturn-4.11.0-1.fc42

The Coturn TURN Server is a VoIP media traffic NAT traversal server and gatew ay. It can be used as a general-purpose network traffic TURN server/gateway, too. This implementation also includes some extra features. Supported RFCs: TURN specs: - RFC 5766 - base TURN specs - RFC 6062 - TCP relaying...

Node.js: NULL pointer dereference in node:sqlite DatabaseSync#applyChangeset() via malformed SQLite changeset

Summary: A 19-byte malformed SQLite changeset passed to Node.js node:sqlite DatabaseSyncapplyChangeset causes a native NULL pointer dereference and terminates the Node.js process. Description: The built-in Node.js node:sqlite API exposes DatabaseSyncapplyChangesetchangeset, options, which accepts...

Nessus Network Monitor < 6.5.4 Multiple Vulnerabilities (TNS-2026-14)

According to its self-reported version, the Nessus Network Monitor running on the remote host is prior to 6.5.4. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2026-14 advisory. - An integer overflow can be triggered in SQLite's concatws function. The resulting,...

Malicious code in @tallyui/storage-sqlite (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2dfe62118fbe292ca123fb157b6fe7d34d5613dcc334553c5cb767636b88ef2b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3604 Malicious code in @tallyui/storage-sqlite (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2dfe62118fbe292ca123fb157b6fe7d34d5613dcc334553c5cb767636b88ef2b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`

Summary Kysely 0.28.12 added a sanitizeStringLiteral call inside DefaultQueryCompiler.visitJSONPathLeg commit 0a602bf, PR 1727 to fix CVE-2026-32763 GHSA-wmrf-hv6w-mr66. The fix only doubles single quotes ' → ''; it does not escape JSON-path metacharacters ., , , , , ?. When attacker-controlled...

PT-2026-39902

Name of the Vulnerable Software and Affected Versions Gryph versions prior to 0.7.0 Description Gryph implements logging levels to control content stored in a local sqlite database. The default log level is set to standard, although documentation incorrectly states it is minimal. At both standard...

PT-2026-39898

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.16 Description Improper input handling in the JSON-path compiler allows attackers to access sensitive JSON data. The software fails to escape JSON-path metacharacters such as ., , , , , and ?, only doubling single...

CoreExploit-Final

CoreExploit 🔐 Ethical Penetration Testing Learning Platfor...

GHSA-PWQG-Q8PG-PP6R Daptin fuzzy search injects unvalidated column name into raw SQL

Summary processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no column whitelist check. The entry point is GET /api/ with...

EUVD-2026-27141

Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore...

Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore

nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file...

CVE-2026-42238

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can...

GHSA-H5X4-M2QF-R4F2 Diesel's SQLite backend has possible UTF-8 corruption

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

Diesel's SQLite backend has possible UTF-8 corruption

Diesel uses the sqlite3valuetext function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const cchar. Based on that we used str::fromutf8unchecked to...

PT-2026-37359

Diesel uses the sqlite3 value text function to receive strings from SQLite while deserializing query results. We misinterpreted the corresponding SQLite documentation that this function always returns a UTF-8 encoded string values as const c char. Based on that we used str::from utf8 unchecked to...

CVE-2026-42238

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can...

CVE-2026-42238

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can...

CVE-2026-42238 Unauthenticated Remote Code Execution via Backup Restore in nginx-ui

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint POST /api/restore that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can...