CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

EUVD-2023-31322

netbox-docker before 2.5.0 has a superuser account with default credentials admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSERAPITOKEN. In practice on the public Internet, almost all users changed the password but only about 90% changed the toke...

CVE-2026-31821 Sylius is Missing Authorization in API v2 Add Item Endpoint

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

CVE-2026-31821

Sylius is an Open Source eCommerce Framework on Symfony. The POST /api/v2/shop/orders/tokenValue/items endpoint does not verify cart ownership. An unauthenticated attacker can add items to other registered customers' carts by knowing the cart tokenValue. An attacker who obtains a cart tokenValue...

CVE-2026-31821

CVE-2026-31821 affects Sylius (Open Source eCommerce framework on Symfony). The vulnerability is in the POST /api/v2/shop/orders/{tokenValue}/items endpoint, which does not verify cart ownership, allowing an unauthenticated attacker who knows a cart tokenValue to add items to another registered c...

PT-2026-24475

Name of the Vulnerable Software and Affected Versions Sylius versions prior to 2.0.16 Sylius versions prior to 2.1.12 Sylius versions prior to 2.2.3 Description The POST /api/v2/shop/orders/tokenValue/items endpoint in Sylius does not verify cart ownership. This allows an unauthenticated attacker...

PT-2026-5584

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.29 Description An authentication bypass issue exists in the WebSocket gateway of OpenClaw. The software fails to validate the user-supplied gatewayUrl parameter before initializing WebSocket connections. This...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-005025)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005025 advisory. In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is...

EUVD-2019-6247

Malware in sbrugna...

I Know What You Said: Unveiling Hardware Cache Side-Channels in Local Large Language Model Inference

Large Language Models LLMs that can be deployed locally have recently gained popularity for privacy-sensitive tasks, with companies such as Meta, Google, and Intel playing significant roles in their development. However, the security of local LLMs through the lens of hardware cache side-channels...

📄 ABB Cylon Aspect 3.08.03 productRemovalUpdate.php Remote Code Execution

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by the productRemovalUpdate.php script. The token key POST param needs to be se...

CVE-2024-52732

Incorrect access control in wms-Warehouse management system-zeqp v2.20.9.1 due to the token value of the zeqp system being reused...

CVE-2023-43275

Cross-Site Request Forgery CSRF vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalogadd.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form...

CVE-2023-43275

Cross-Site Request Forgery CSRF vulnerability in DedeCMS v5.7 in 110 backend management interface via /catalogadd.php, allows attackers to create crafted web pages due to a lack of verification of the token value of the submitted form...

CVE-2023-4659

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE requests without any token value. Therefore, an...

CVE-2023-4659 Cross-Site Request Forgery in Free5Gc

Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE requests without any token value. Therefore, an...

MID-Risk Vulnerabilities in the Axelar Smart Contracts

Lines of code Vulnerability details Impact The vulnerabilities that I have identified could have a significant impact on the Axelar network. These vulnerabilities could be exploited by an attacker to: Gain control of the Axelar network by proposing and voting on malicious proposals. Mint or burn...

CVE-2023-28425

creationtimestamp| type| source ---|---|--- 2023-04-02 22:23:59+00:00| seen| https://t.me/cibsecurity/60350 2023-04-04 11:01:01+00:00| published-proof-of-concept| https://t.me/CyberSecurityTechnologies/8053...

Missing totalFunds update in LiquidityPool's OpenShort(), causing LiquidityPool token holder to lose a portion of their token value

Lines of code Vulnerability details The function openShort in LiquidityPool.sol is missing an update to totalFunds, to increase LiquidityPool funds by the collected net fees. Impact As a result of the missing increment to totalFunds, the availableFunds in the LiquidityPool will be lower. This wil...

Uneven deduction of performance fee causes some KangarooVault users to lose part of their token value

Lines of code Vulnerability details In KangarooVault.resetTrade, a performanceFee is charged upon closing of all positions, on the premiumCollected. This is inconsistent with getTokenPrice as premiumCollected is factored in the token price computation, while the performanceFee is not. This leads ...