Malicious code in stats-api-js-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a84f9d7eef71d2b99a244ec63f5144ad80a0084e6c20fc903a1bbce208ad9777 The package stats-api-js-client was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2607 Malicious code in stats-api-js-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a84f9d7eef71d2b99a244ec63f5144ad80a0084e6c20fc903a1bbce208ad9777 The package stats-api-js-client was found to contain malicious code. Source: ghsa-malware...

CVE-2026-31799

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passe...

NewStart CGSL MAIN 6.06 (SP) : libvirt Vulnerability (NS-SA-2026-0022)

The remote NewStart CGSL host, running version MAIN 6.06 SP, has libvirt packages installed that are affected by a vulnerability: - An issue was discovered in qemuDomainGetStatsIOThread in qemu/qemudriver.c in libvirt 4.10.0 though 6.x before 6.1.0. A memory leak was found in the...

A use-after-free flaw was found in libvirt. The qemuMonitorUnregister() function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down. An unprivileged client with a read-only connection could use this flaw to perform a denial of service attack by causing the libvirt daemon to crash.

...

EXNESS: IDOR in Stats API Endpoint Allows Viewing Equity or Net Profit of Any MT Account

Hi Team, Today I logged into my Exness PA and noticed an updated performance page. I thought to give it a quick check and noticed that the API endpoints responsible for fetching the stats performance chart /stats/ is vulnerable to IDOR via accounts= parameter. The issue allows fetching the stats ...

libvirt: segmentation fault during VM shutdown can lead to vdsm hang

A use-after-free flaw was found in libvirt. The qemuMonitorUnregister function in qemuProcessHandleMonitorEOF is called using multiple threads without being adequately protected by a monitor lock. This flaw could be triggered by the virConnectGetAllDomainStats API when the guest is shutting down...

Chaturbate: No rate limit in stats api token endpoint

Brute force on statsapi endpoint to view stats of an user Steps To Reproduce: 1. Stats api token can be generated at https://chaturbate.com/statsapi/authtoken/ https://chaturbate.com/statsapi/?username=hackeronetestchat&token=vulnerable I've used my profile and and my token to check brute force T...