•8 minutes ago•GHSA-RC6V-5RMX-W5MV
6.5GHSA-RC6V-5RMX-W5MV: Multi-Vector Cryptographic and State Machine Vulnerabilities in Arnika
Arnika versions prior to v1.0.1 contain multiple medium-severity vulnerabilities affecting the UDP key-rotation protocol, Post-Quantum Cryptography (PQC) key file handling, and Key Management System (KMS) TLS configuration. These flaws permit UDP replay attacks causing denial of service, silent security downgrades via empty PQC files, and Man-in-the-Middle (MITM) attacks against the KMS.
0 views•10 min read
•about 1 hour ago•GHSA-QXVM-R42F-5P8J
9.8GHSA-QXVM-R42F-5P8J: Authentication Bypass via Meet Plugin in AVideo
AVideo is vulnerable to a critical authentication bypass within the Meet plugin. An attacker possessing the Meet shared secret can impersonate any user, including administrators, by supplying a crafted filename to the video upload endpoint, leading to complete system compromise.
2 views•5 min read
•about 2 hours ago•CVE-2026-46383
5.5CVE-2026-46383: Arbitrary File Overwrite via Path Traversal (TarSlip) in Microsoft APM
A path traversal vulnerability exists in the legacy-bundle probing logic of Microsoft APM, an open-source dependency manager for AI agents. On Windows systems using Python versions prior to 3.12, this allows local attackers to overwrite arbitrary files via a crafted tarball.
3 views•5 min read
•about 3 hours ago•GHSA-MXG3-432P-MR72
8.1GHSA-MXG3-432P-MR72: SSH Host Key Verification Disabled in goshs
A critical vulnerability in the Go-based file server goshs allows transparent Man-in-the-Middle (MITM) attacks during SSH tunnel establishment. By utilizing ssh.InsecureIgnoreHostKey() as the HostKeyCallback, versions prior to 2.0.7 fail to validate remote server identity.
5 views•6 min read
•about 6 hours ago•CVE-2026-23899
8.8CVE-2026-23899: Improper Access Check in Joomla! com_config Webservices
CVE-2026-23899 is a critical authorization bypass vulnerability within the Joomla! CMS webservice API. Due to an improper access check in the com_config component, authenticated low-privileged users can read and modify the global configuration, leading to the exposure of database credentials and the application secret key.
7 views•6 min read
•about 12 hours ago•GHSA-F3CJ-J4F6-WQ85
9.1GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises
A critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental `hydratable` feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks.
9 views•6 min read
•about 13 hours ago•GHSA-WF8Q-WVV8-P8JF
4.7GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint
The @samanhappy/mcphub package before version 0.12.15 contains a critical improper authentication vulnerability within its Server-Sent Events (SSE) transport layer. The application blindly trusts the username provided in the URL path parameter to establish user context and session state without requiring cryptographic verification or authentication tokens. This architectural flaw allows unauthenticated remote attackers to impersonate any user, establish a valid session, and execute arbitrary Model Context Protocol (MCP) tools within the victim's authorization context.
6 views•6 min read
•about 13 hours ago•GHSA-GXHX-2686-5H9G
7.7GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier
The slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string—such as from a missing environment variable—allow attackers to bypass request authentication by forging signatures with an empty HMAC key.
5 views•7 min read
•about 13 hours ago•CVE-2026-42897
8.1CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA
CVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing.
126 views•5 min read
•about 22 hours ago•CVE-2026-45369
10.0CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol
CVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.
14 views•7 min read
•about 23 hours ago•CVE-2026-45370
7.7CVE-2026-45370: Environment Variable Leak in python-utcp CLI Subprocesses
The python-utcp library improperly exposes the host application's full environment variables to spawned subprocesses via os.environ.copy(). When combined with an existing command injection flaw, attackers can exfiltrate all host secrets in a single request.
11 views•6 min read
•about 23 hours ago•CVE-2026-45411
9.8CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation
CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.
11 views•8 min read