•16 minutes ago•CVE-2026-33650
7.6CVE-2026-33650: Privilege Escalation via Incorrect Authorization in WWBN AVideo
WWBN AVideo versions up to and including 26.0 contain an incorrect authorization vulnerability (CWE-863). Users with the 'Videos Moderator' permission can exploit inconsistent authorization boundaries to transfer video ownership and delete arbitrary videos, resulting in privilege escalation.
1 views•5 min read
•about 1 hour ago•CVE-2026-33651
8.1CVE-2026-33651: Blind SQL Injection in WWBN AVideo Live Schedule Reminder
WWBN AVideo versions up to and including 26.0 contain a critical time-based blind SQL injection vulnerability in the `remindMe.json.php` endpoint. An authenticated attacker can supply a crafted `live_schedule_id` parameter to execute arbitrary database queries, leading to full database compromise.
1 views•6 min read
•about 4 hours ago•GHSA-5MG7-485Q-XM76
10.0GHSA-5mg7-485q-xm76: Supply Chain Compromise and Credential Harvesting Malware in LiteLLM
Threat actors compromised the CI/CD pipeline of the LiteLLM package by poisoning a dependency, allowing them to steal PyPI publisher credentials. These credentials were used to publish two malicious versions of LiteLLM that deploy a persistent credential harvester and Kubernetes worm via Python's .pth file mechanism.
4 views•6 min read
•about 5 hours ago•GHSA-XCX6-VP38-8HR5
7.5GHSA-xcx6-vp38-8hr5: Uncontrolled Recursion leading to Denial of Service in Scriban
Scriban versions prior to 7.0.0 suffer from an uncontrolled recursion vulnerability within the `object.to_json` built-in function. By passing a specially crafted self-referencing or deeply nested object to this function, an attacker can trigger an infinite recursive loop. This exhausts the execution stack, resulting in an uncatchable StackOverflowException that immediately terminates the hosting .NET process.
3 views•6 min read
•about 13 hours ago•CVE-2026-32597
7.5CVE-2026-32597: Critical Header Parameter Validation Bypass in PyJWT
PyJWT versions prior to 2.12.0 fail to validate the `crit` (Critical) Header Parameter as mandated by RFC 7515. This allows attackers to bypass security policies enforced via custom JWT extensions by supplying tokens with unsupported critical parameters, which the library silently ignores instead of rejecting.
7 views•7 min read
•about 13 hours ago•CVE-2025-71176
6.8CVE-2025-71176: Local Privilege Escalation and Information Disclosure via TOCTOU Race Condition in pytest
The pytest testing framework through version 9.0.2 on UNIX-like systems creates base temporary directories using a predictable naming pattern. This predictable pattern allows a local attacker to execute a symlink race or Time-of-Check Time-of-Use (TOCTOU) attack, potentially resulting in Denial of Service (DoS), information disclosure, or local privilege escalation.
8 views•7 min read
•about 16 hours ago•GHSA-M2P3-HWV5-XPQW
6.5GHSA-M2P3-HWV5-XPQW: Denial of Service via Unbounded Cumulative Template Output in Scriban
The Scriban template engine for .NET contains a flaw in its memory allocation limiting logic. An attacker who can supply malicious templates can bypass the `LimitToString` safety mechanism, causing the engine to allocate excessive memory. This leads to an Out-of-Memory (OOM) condition and subsequent application crash, resulting in a Denial of Service (DoS).
4 views•5 min read
•about 19 hours ago•GHSA-XW6W-9JJH-P9CR
6.5GHSA-XW6W-9JJH-P9CR: Multiple Denial-of-Service Vulnerabilities in Scriban Templating Engine
The Scriban .NET templating engine versions prior to 7.0.0 contain three distinct denial-of-service vulnerabilities. These flaws arise from improper enforcement of resource limits during expression evaluation, specifically concerning string multiplication, bitwise shifts, and range enumerations. An attacker with template authoring privileges can exploit these vectors to trigger OutOfMemoryException or CPU exhaustion, resulting in abrupt application termination or degraded performance.
11 views•7 min read
•about 21 hours ago•CVE-2026-33215
6.5CVE-2026-33215: MQTT Session and Message Hijacking via Client ID Malfeasance in NATS-Server
NATS-Server versions prior to 2.11.15 and 2.12.5 contain multiple vulnerabilities within the MQTT session management and packet parsing logic. These flaws, notably a Client ID hash collision weakness and null-byte truncation, allow unauthenticated remote attackers to hijack active MQTT sessions and intercept private message streams.
10 views•6 min read
•about 21 hours ago•GHSA-7789-65HX-F26W
5.3GHSA-7789-65HX-F26W: Username Enumeration via Authentication Timing Side-Channel in FileBrowser Quantum
FileBrowser Quantum versions prior to v1.3.2-beta contain a timing side-channel vulnerability in the authentication endpoint. The application processes login requests for valid usernames significantly slower than for invalid usernames due to the conditional execution of the bcrypt hashing algorithm. This discrepancy allows unauthenticated remote attackers to enumerate valid usernames registered on the target system.
5 views•5 min read
•about 22 hours ago•GHSA-5VP3-3CG6-2RQ3
7.5GHSA-5VP3-3CG6-2RQ3: Cross-Site Scripting via Markdown Serialization Breakout in justhtml
The Python library `justhtml` versions prior to 1.13.0 suffer from a Cross-Site Scripting (XSS) vulnerability due to improper handling of HTML `<pre>` elements during Markdown serialization. This flaw permits attackers to break out of generated Markdown code blocks and execute arbitrary JavaScript when the output is processed by downstream Markdown renderers.
7 views•7 min read
•about 22 hours ago•CVE-2026-33627
7.1CVE-2026-33627: Sensitive Information Disclosure via Master Key Context in Parse Server
Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 suffer from an information disclosure vulnerability (CWE-200) in the `/users/me` endpoint. The server retrieves user objects using the Master Key context, bypassing security filters and exposing raw Multi-Factor Authentication (MFA) secrets and recovery codes to authenticated users.
8 views•6 min read