CVE-2026-10557

The Yarbo Android and iOS applications contain hard-coded MQTT broker credentials that are identical for all users and all devices. These credentials are embedded in the application binary and are readily extractable via APK decompilation. The credentials provide access to cloud MQTT brokers...

CVE-2026-7368 Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic...

CVE-2026-7368

The CVE covers Yarbo Android/iOS mobile app and Yarbo cloud infrastructure where per-device/user authorization is not enforced. The system allows any client with valid credentials to subscribe to wildcard topics for all robots and publish to any robot’s command topic using only the robot’s serial...

CVE-2026-7368 Yarbo Android/iOS Mobile Application and Cloud Infrastructure Missing Authorization

The Yarbo cloud does not enforce per-device or per-user authorization. Any client possessing valid credentials, whether the shared hard-coded credentials or legitimate per-user credentials, can subscribe to wildcard topics covering all robots globally, and can publish to any robot's command topic...

PT-2026-48886

Name of the Vulnerable Software and Affected Versions Yarbo cloud affected versions not specified Description The cloud service fails to enforce per-device or per-user authorization. A client with valid credentials, including shared hard-coded credentials or legitimate per-user credentials, can...

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

CVE-2026-46679 libp2p: Memory DoS via subscription flood of unique topics

libp2p is a JavaScript Implementation of libp2p networking stack. Prior to version 15.0.23, three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. This issue has been patched in version 15.0.23...

CVE-2026-7415

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

CVE-2026-35443

NamelessMC (website software for Minecraft servers) is affected in version 2.2.4. The vulnerability lies in modules/Forum/classes/ForumPostReactionContext.php, where topic-level view_other_topics authorization is not re-enforced, allowing reactions on other users’ topics to be read and modified. ...

CVE-2026-35443 NamelessMC: Forum reactions bypass the "view own topics only" restriction

NamelessMC is website software for Minecraft servers. In version 2.2.4, modules/Forum/classes/ForumPostReactionContext.php only verifies that the caller can view the forum, but it does not re-enforce topic-level viewothertopics authorization. As a result, in forums where users may enter the forum...

EUVD-2026-33962

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, improper access control allows disclosure of password hash. This issue has been patched in version 2.10.4...

NamelessMC 安全漏洞

NamelessMC is a free, easy-to-use, and powerful website software developed by the NamelessMC team. It’s suitable for your Minecraft server and comes with numerous features. Version 2.2.4 of NamelessMC has a security vulnerability that stems from the lack of re-enforcing topic-level viewotherstopi...

CVE-2026-49198

CVE-2026-49198 affects Predator Connect W6x: MQTT broker. The issue is improper access control that enables wildcard topic subscriptions, which can expose all MQTT traffic to unauthorized actors. Documents do not specify the vulnerable component beyond the broker, nor do they provide version numb...

Acer Predator Connect W6x 安全漏洞

The Acer Predator Connect W6x is a series of high-performance Wi-Fi 6/6E gaming routers produced by Acer of Taiwan, China. The Acer Predator Connect W6x has a security vulnerability, which stems from improper access control in the MQTT proxy, allowing wildcard topic subscriptions, thereby exposin...

GHSA-4F8R-922H-2VGV js-libp2p: Memory DoS via subscription flood of unique topics

Summary Three cooperating omissions in @libp2p/gossipsub allow an unauthenticated single peer to exhaust the Node.js heap of any gossipsub node with default options. 1. defaultDecodeRpcLimits.maxSubscriptions = Infinity packages/gossipsub/src/message/decodeRpc.ts:11: no decode-level cap on...

Missing Release of Memory after Effective Lifetime

Overview @libp2p/gossipsub is an A typescript implementation of gossipsub Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime through unbounded growth of the topics data structure when processing subscription requests. An attacker can exhaust...

Security Bulletin: IBM WebSphere Automation is vulnerable to CVE-2026-35554 which affects the kakfa client library

Summary IBM WebSphere Automation is vulnerable to CVE-2026-35554, which causes a race condition in the Apache Kafka Java producer client's buffer pool management which can cause messages to be silently delivered to incorrect topics. Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race...

Topical Shifts in the Dark Web: A Longitudinal Analysis of Content from the Cybercrime Ecosystem

The dark web hosts a dynamic ecosystem of cybercrime forums and marketplaces that adapt to law enforcement pressure, technological change, and economic incentives. Prior research has extracted cyber threat intelligence from these platforms using static snapshots, with limited attention to how...

EUVD-2026-29102

In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. The broker enforces publish restrictions but does not enforce equivalent subscribe authorization a...