CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad

CVEReports
•about 2 hours ago•GHSA-F3CJ-J4F6-WQ85
9.1

GHSA-f3cj-j4f6-wq85: Server-Side Rendering Cross-Site Scripting in Svelte hydratable Promises

A critical Cross-Site Scripting (XSS) vulnerability exists in the Server-Side Rendering (SSR) engine of the Svelte framework. The vulnerability occurs due to insecure promise serialization within the experimental `hydratable` feature. Attackers controlling the output of a resolved promise can inject JavaScript string replacement tokens, causing the SSR engine to duplicate template strings into executable script blocks.

Alon Barad
Alon Barad
1 views•6 min read
•about 2 hours ago•GHSA-WF8Q-WVV8-P8JF
4.7

GHSA-WF8Q-WVV8-P8JF: Unauthenticated User Impersonation in MCPHub SSE Endpoint

The @samanhappy/mcphub package before version 0.12.15 contains a critical improper authentication vulnerability within its Server-Sent Events (SSE) transport layer. The application blindly trusts the username provided in the URL path parameter to establish user context and session state without requiring cryptographic verification or authentication tokens. This architectural flaw allows unauthenticated remote attackers to impersonate any user, establish a valid session, and execute arbitrary Model Context Protocol (MCP) tools within the victim's authorization context.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 3 hours ago•GHSA-GXHX-2686-5H9G
7.7

GHSA-gxhx-2686-5h9g: Signature Verification Bypass in slack-go via Empty SecretsVerifier

The slack-go library prior to version 0.23.1 contains a cryptographic signature verification vulnerability. The SecretsVerifier component fails to validate whether the provided Slack signing secret is empty. Applications initializing this verifier with an empty string—such as from a missing environment variable—allow attackers to bypass request authentication by forging signatures with an empty HMAC key.

Alon Barad
Alon Barad
2 views•7 min read
•about 3 hours ago•CVE-2026-42897
8.1

CVE-2026-42897: Reflected Cross-Site Scripting in Microsoft Exchange Server OWA

CVE-2026-42897 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability affecting the Outlook on the web (OWA) component of Microsoft Exchange Server. The flaw stems from improper neutralization of user-supplied input during web page generation. Discovered as a zero-day and actively exploited in the wild, the vulnerability allows unauthenticated attackers to execute arbitrary JavaScript within the security context of a targeted user's session, facilitating session hijacking and identity spoofing.

Amit Schendel
Amit Schendel
34 views•5 min read
•about 12 hours ago•CVE-2026-45369
10.0

CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol

CVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.

Alon Barad
Alon Barad
13 views•7 min read
•about 12 hours ago•CVE-2026-45370
7.7

CVE-2026-45370: Environment Variable Leak in python-utcp CLI Subprocesses

The python-utcp library improperly exposes the host application's full environment variables to spawned subprocesses via os.environ.copy(). When combined with an existing command injection flaw, attackers can exfiltrate all host secrets in a single request.

Alon Barad
Alon Barad
10 views•6 min read
•about 13 hours ago•CVE-2026-45411
9.8

CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation

CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.

Amit Schendel
Amit Schendel
10 views•8 min read
•about 16 hours ago•GHSA-7RX4-C5VX-G8W3
8.6

GHSA-7RX4-C5VX-G8W3: Server-Side Request Forgery Bypass in Karakeep Metadata Extraction Workers

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the Karakeep metadata extraction process prior to version 0.32.0. The flaw allows attackers to bypass primary URL validation and target internal network resources or cloud metadata services via crafted webpage metadata.

Alon Barad
Alon Barad
7 views•5 min read
•about 16 hours ago•GHSA-9M65-766C-R333
7.1

GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start

A type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).

Alon Barad
Alon Barad
7 views•6 min read
•about 19 hours ago•GHSA-7G73-99R4-M4MJ
7.5

GHSA-7G73-99R4-M4MJ: Credential Data Leak in FlowiseAI API Responses

FlowiseAI versions prior to 3.1.2 suffer from a CWE-200 Information Exposure vulnerability. The application's credential management API inadvertently returns the `encryptedData` field containing ciphertext for sensitive integrations in its JSON responses.

Alon Barad
Alon Barad
5 views•5 min read
•about 20 hours ago•CVE-2026-42793
8.2

CVE-2026-42793: Unauthenticated Remote Denial of Service in Absinthe GraphQL via Atom Exhaustion

CVE-2026-42793 is a critical resource exhaustion vulnerability in the Absinthe GraphQL library for Elixir. Unauthenticated attackers can exploit unsafe atom creation during Schema Definition Language (SDL) parsing to trigger a system-wide crash of the Erlang Virtual Machine (BEAM).

Alon Barad
Alon Barad
5 views•6 min read
•about 20 hours ago•CVE-2026-43967
8.7

CVE-2026-43967: Denial of Service via Algorithmic Complexity in Absinthe GraphQL Fragment Validation

Absinthe, an Elixir GraphQL toolkit, is vulnerable to a Denial of Service (DoS) condition due to inefficient algorithmic complexity in its document validation phase. Unauthenticated attackers can exhaust server resources by submitting GraphQL requests with heavily duplicated fragment definitions.

Alon Barad
Alon Barad
6 views•6 min read
SeverityExploitPeriodCatalog
Sort

Or generate a custom report

Search for a CVE ID (e.g. CVE-2024-1234) to generate an AI-powered vulnerability analysis

Automated vulnerability intelligence. 1,738+ reports.