228 matches found
CVE-2026-34203
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...
CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...
CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...
CVE-2026-34203
Nautobot REST API user creation/editing before versions 2.4.30 and 3.0.10 does not enforce Django AUTH_PASSWORD_VALIDATORS, potentially allowing weak passwords. Affected: Nautobot prior to these patch versions; remediation: upgrade to 2.4.30 or 3.0.10 where password validation is applied."
CVE-2026-34203 Nautobot: Management of users via REST API does not apply configured password validators
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to versions 2.4.30 and 3.0.10, user creation and editing via the REST API fails to apply the password validation rules defined by Django's AUTHPASSWORDVALIDATORS setting which defaults to an empty list, i.e., no specific...
PT-2026-29333
Name of the Vulnerable Software and Affected Versions Nautobot versions prior to 2.4.30 Nautobot versions prior to 3.0.10 Description The application fails to enforce password validation rules defined by Django's AUTH PASSWORD VALIDATORS setting when creating or editing users via the REST API. Th...
PT-2026-29335
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1 Description Parse Server, an open source backend deployable on Node.js infrastructures, is affected by an issue where file downloads via HTTP Range requests bypass the afterFindParse.File...
EUVD-2025-209100
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
CVE-2025-15381 Unauthorized Access to Tracing and Assessment Endpoints in mlflow/mlflow
In the latest version of mlflow/mlflow, when the basic-auth app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with NOPERMISSIONS on the experiment, to read trace information and create assessments for...
PT-2026-23821
We at Tachyon found an auth bypass in MLflow https://tachyon.so/blog/cve-2025-14297-mlflow-authorization-bypass: 1. Black-box scanners would need to discover the right users, roles, and state transitions, then generate specific request sequences that trigger a gap: a combinatorial problem that...
AI Gateway secret API accepts `$ENV_VAR` references and can be remotely abused to exfiltrate server-side environment credentials to an attacker-controlled upstream endpoint. And the leaked credentials can be further leveraged to break security boundaries.
Analyzed project versions: Current target branch: master Current HEAD: dc8ef3cbbefccf7384f4e3023492aae635c5d5d0 Fix 403 Forbidden for artifact list via query param when defaultpermission=NOPERMISSIONS 21220, commit date: 2026-03-04 The vulnerability is that AI Gateway secrets allow...
CVE-2021-41138
Frontier is Substrate's Ethereum compatibility layer. In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of...
Babylon's malformed vote extensions are not rejected
Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the subsequent block proposal. Eventually, all block proposals will be rejected by all validators. Impact A small group of adversarial validators can cause a cha...
GHSA-2FCV-QWW3-9V6H Babylon's malformed vote extensions are not rejected
Summary Adversarial validators can send large vote extensions by using non-existing protobuf tags. This will result in the rejection of the subsequent block proposal. Eventually, all block proposals will be rejected by all validators. Impact A small group of adversarial validators can cause a cha...
Snitch-Scan
PoC exploit for XSS vulnerability scanner. The target product/se...
EUVD-2020-27563
Malware in sbrugna...
EUVD-2021-1041
Malware in sbrugna...
EUVD-2009-0005
Malware in sbrugna...
EUVD-2021-2260
Malware in sbrugna...
EUVD-2019-0154
Malware in sbrugna...