EUVD-2026-31979

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

PT-2026-43403

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

Lumiverse 安全漏洞

Lumiverse is a full-featured AI chat application suite developed by Prolix OCs’ individual developers. Versions of Lumiverse prior to 0.9.7 contained security vulnerabilities. These vulnerabilities stemmed from component overlay systems, which used Sucrase to translate user-provided TSX files and...

@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails

Impact: @hulumi/policies versions before 1.3.2 used stack-wide evidence shortcuts in several Cloudflare and deployment-governance validators. Unrelated compliant-looking evidence could suppress violations for different zones, hostnames, origins, or repositories in the same stack. Patched in 1.3.2...

GHSA-59F3-7227-WMH4 @hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails

Impact: @hulumi/policies versions before 1.3.2 used stack-wide evidence shortcuts in several Cloudflare and deployment-governance validators. Unrelated compliant-looking evidence could suppress violations for different zones, hostnames, origins, or repositories in the same stack. Patched in 1.3.2...

PT-2026-42395

Name of the Vulnerable Software and Affected Versions mlflow/mlflow versions prior to 3.10.0 Description When basic authentication is enabled, the 'SearchModelVersions' REST API endpoint and the 'mlflowSearchModelVersions' GraphQL query lack proper per-model authorization checks. This allows any...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the OCI validator process when upstream rate limits are encountered. An attacker can bypass intended ownership restrictions by exploiting the lack of proper checks during rate-limited conditions. Remediation...

PySpector 安全漏洞

PySpector is a high-performance Python static security analysis framework based on graphs, developed by Tommaso Bona. Versions of PySpector prior to 0.1.8 contained security vulnerabilities. These vulnerabilities stemmed from an incomplete blacklist of plugin security validators, which could allo...

EUVD-2026-25062

nimiq-primitives: Node crash due to missing interlink validation in election macro block proposals...

BIT-PARSE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the default...

CVE-2026-34203

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34532

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud...

Nautobot: Management of users via REST API does not apply configured password validators

Impact In Nautobot versions prior to 2.4.30 or prior to 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific rules, but can be configured in Nautobot's...

CVE-2026-34784

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34784 Parse Server: Streaming file download bypasses afterFind file trigger authorization

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFindParse.File trigger and its validators on storage adapters that support streaming e.g. the...

CVE-2026-34203

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...

CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...

CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...

CVE-2026-34203

Nautobot REST API user creation/editing before versions 2.4.30 and 3.0.10 does not enforce Django AUTH_PASSWORD_VALIDATORS, potentially allowing weak passwords. Affected: Nautobot prior to these patch versions; remediation: upgrade to 2.4.30 or 3.0.10 where password validation is applied."