ShinyHunters’ Instructure Canvas LMS and Vimeo Breaches Impact Millions of Users

ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks...

PT-2026-29444

A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file gougucms-masterappadminviewuserrecord.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

CVE-2026-33638 Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ...

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

CVE-2026-32638 StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens

StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.4, the REST API getUsers endpoint in StudioCMS uses the attacker-controlled rank query parameter to decide whether owner accounts should be filtered from the result set. As a result, an admin token...

EUVD-2026-8646

Budibase: Remote Code Execution via Unsafe eval in View Filter Map Function Budibase Cloud...

EUVD-2025-199726

Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and access sensitive information...

EUVD-2016-10097

Malware in sbrugna...

EUVD-2022-1912

Malicious code in bioql PyPI...

CVE-2024-45438

An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent emai...

Verizon and T-Mobile Deny Data Breaches as Millions of User Records Sold Online

User claims to sell stolen Verizon and T-Mobile data for millions of users online Verizon says data is old T-Mobile denies any breach and links to it...

Threat Actor Claims TikTok Breach, Puts 428 Million Records Up for Sale

Alleged TikTok Breach: Threat actor “Often9” claims to sell 428M user records, including emails, phones, and account details on dark web forum. TikTok is investigating!...

CVE-2025-48476 FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when adding and editing user records using the fill method, there is no check for the absence of the password field in the data coming from the user, which leads to a mass-assignment vulnerability. As a result...

Doxbin Data Breach: Hackers Leak 136K User Records and Blacklist File

Doxbin Data Breach: Hackers leak 136,000+ user records, emails, and a ‘blacklist’ file, exposing those who paid to…...

Andrew Tate’s University Breach: 1 Million User Records and Chats Leaked

Andrew Tate's "The Real World" platform has been breached, again, leaking user data including emails and private chat…...

Hackers Leak 300,000 MIT Technology Review Magazine User Records

Hackers claim to have breached MIT Technology Review Magazine via a third-party contractor, leaking nearly 300,000 user records…...

Hackers Leak 180,000 Esport North Africa User Records a Day Before Tournament Begins

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…...

ZOHO ManageEngine ADAudit Plus 安全漏洞

ZOHO ManageEngine ADAudit Plus is used by ZOHO to simplify auditing, demonstrate compliance and detect threats. A security vulnerability exists in ZOHO ManageEngine ADAudit Plus version 8003 and prior versions, which arises from vulnerability to authenticated SQL injection attacks in user session...

Hacker Claims TEG Ticket Vendor Breach: 30M User Records for Sale

Hacker "Sp1d3r" claims breaching TEG, an Australian ticketing giant, exposing 30 million users' data for sale on Breach Forums for USD 30,000...