Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Summary An unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. Details...

CVE-2026-35216

Budibase is an open-source low-code platform. Prior to version 3.33.4 , an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a ** Bash step** via the public webhook endpoint. The process runs as root inside the contai...

CVE-2026-35216 Budibase: Unauthenticated Remote Code Execution via Webhook Trigger and Bash Automation Step

Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution RCE on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the...

MAL-2026-2432 Malicious code in nwin64tls (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 72555231efbf126e61cb3aa59d3482bc7967af46898e46eb2b9b7f81af8cd40e Importing the module starts a loop that listens to key strokes and on every capslock press exfiltrates screenshot to a hardcoded location. --- Category:...

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

In this article 1. Cookie-controlled execution behavior 2. Observed variants of cookie-controlled PHP web shells 3. Mitigation and protection guidance 4. Microsoft Defender XDR detections 5. Microsoft Security Copilot prompts 6. Microsoft Defender XDR threat analytics 7. MITRE ATT&CK™ Techniques...

NocoBase Has SQL Injection via template variable substitution in workflow SQL node

Summary NocoBase = 2.0.8 plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL...

Parser Server's streaming file download bypasses afterFind file trigger authorization

Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...

GHSA-HPM8-9QX6-JVWV Parser Server's streaming file download bypasses afterFind file trigger authorization

Impact File downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default GridFS adapter. This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators...

CVE-2026-35093

A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such ...

Parse Server has a session field immutability bypass via falsy-value guard

Impact An authenticated user can bypass the immutability guard on session fields expiresAt, createdWith by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length...

AutoEG: Exploiting Known Third-Party Vulnerabilities in Black-Box Web Applications

Large-scale web applications are widely deployed with complex third-party components, inheriting security risks arising from component vulnerabilities. Security assessment is therefore required to determine whether such known vulnerabilities remain practically exploitable in real applications...

CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34784

Parse Server has a vulnerability where file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on streaming storage adapters (e.g., GridFS). This can let an attacker access files that should be protected by authorization logic. The issue is fixed in vers...

EUVD-2026-17532

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched...

CVE-2026-5205

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched...

CVE-2026-5205

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched...

CVE-2026-5205

The CVE-2026-5205 vulnerability affects chatwoot up to version 4.11.2, specifically the Webhooks::Trigger function in lib/webhooks/trigger.rb of the Webhook API. The root cause is manipulation of the argument url, enabling server-side request forgery (SSRF). The issue is exploitable remotely, wit...

CVE-2026-34506 OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesiz...

VulnCheck KEV: CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

PT-2026-29296

A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched...