CVE-2026-25599

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices...

GHSA-RP7V-4384-HFRP k8sGPT has Prompt Injection through its k8sGPT-Operator

Summary In the auto-remediation pipeline, objecttoexecution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object. Details This issue was fixed after coordination with Alex Jones. PoC To minimize the...

EUVD-2025-27413

Malicious code in bioql PyPI...

CVE-2023-1029

The WP Meta SEO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the regenerateSitemaps function. This makes it possible for unauthenticated attackers to regenerate Sitemaps via a forg...

Cuvva: No rate limiting at POST /2/2017-05-22/send_identifier_token

SUMMARY ---------- Hello, while testing your api I have noticed that the request at POST /2/2017-05-22/sendidentifiertoken does not have any rate limiting made about 60-70 requests and this actually sens an SMS when the type is mobilephone. I agree, this is not a very big issue, but all endpoints...