•about 1 hour ago•CVE-2026-31863
3.6CVE-2026-31863: Authentication Bypass via Brute Force in Anytype Heart gRPC API
The Anytype Heart middleware library fails to restrict excessive authentication attempts on its local gRPC client API. This vulnerability allows a local, unprivileged attacker to bypass challenge-based authentication by brute-forcing a 4-digit authorization code, resulting in unauthorized access to the Anytype application backend and the user's local data.
1 views•6 min read
•about 7 hours ago•CVE-2024-29857
7.5CVE-2024-29857: Denial of Service via Algorithmic Complexity in Bouncy Castle ECC
An algorithmic complexity exhaustion vulnerability exists in the Bouncy Castle cryptographic libraries for Java and C# .NET. The vulnerability affects the processing of Elliptic Curve Cryptography (ECC) parameters defined over binary finite fields. Remote attackers can trigger unbounded resource consumption and cause a denial of service (DoS) by supplying specially crafted X.509 certificates with excessively large field degree parameters.
2 views•5 min read
•about 7 hours ago•CVE-2024-34447
7.5CVE-2024-34447: Hostname Verification Bypass in Bouncy Castle Java JSSE
A vulnerability in the Bouncy Castle Crypto Package for Java (BCJSSE) permits adversaries to bypass TLS hostname verification. By exploiting a fallback mechanism that evaluates the peer's IP address instead of the intended hostname, an attacker capable of DNS spoofing can conduct Adversary-in-the-Middle (AitM) attacks to intercept encrypted traffic.
3 views•6 min read
•about 7 hours ago•CVE-2026-26988
9.1CVE-2026-26988: Critical SQL Injection in LibreNMS ajax_table.php Endpoint
LibreNMS versions up to 25.12.0 are vulnerable to an unauthenticated SQL injection in the address search functionality. The flaw allows remote attackers to execute arbitrary database queries via the ajax_table.php endpoint.
15 views•5 min read
•about 7 hours ago•CVE-2026-28472
8.1CVE-2026-28472: Device Identity Verification Bypass in OpenClaw Gateway WebSocket Handshake
CVE-2026-28472 is a critical security vulnerability in the OpenClaw automation platform affecting all versions prior to 2026.2.2. The vulnerability resides in the gateway's WebSocket connection handshake logic, where a flaw in authentication sequence allows unauthenticated attackers to bypass device identity verification. In environments utilizing secondary authentication providers, this can result in unauthorized operator access to the gateway.
14 views•6 min read
•about 9 hours ago•CVE-2026-1566
8.8CVE-2026-1566: Privilege Escalation via Improper Authorization in LatePoint WordPress Plugin
CVE-2026-1566 is a high-severity privilege escalation vulnerability in the LatePoint WordPress plugin affecting versions 5.2.7 and earlier. Authenticated attackers with Agent privileges can manipulate the wordpress_user_id parameter during customer creation to link their account to an administrator, enabling full site takeover via password reset mechanisms.
7 views•7 min read
•about 11 hours ago•CVE-2026-31829
7.1CVE-2026-31829: Server-Side Request Forgery in Flowise HTTP Node
Flowise versions prior to 3.0.13 are vulnerable to a High-severity Server-Side Request Forgery (SSRF) flaw in the HTTP Node component. Attackers with access to modify chatflows can force the server to execute unauthorized requests against internal network boundaries, cloud metadata endpoints, and local services.
6 views•5 min read
•about 13 hours ago•CVE-2026-31830
7.5CVE-2026-31830: Verification Bypass via Unchecked Return Value in sigstore-ruby
sigstore-ruby prior to version 0.2.3 contains a critical logic flaw in its verification routine for DSSE bundles. An unchecked return value allows an attacker to bypass artifact binding checks, facilitating supply chain attacks via artifact swapping.
7 views•6 min read
•about 13 hours ago•CVE-2026-31832
5.4CVE-2026-31832: Broken Object-Level Authorization in Umbraco CMS Management API
Umbraco CMS suffers from a Broken Object-Level Authorization (BOLA) vulnerability within its Management API. Authenticated backoffice users can bypass node-level boundary restrictions to view and modify domain and notification configurations for arbitrary content nodes. The flaw is rooted in missing resource-level authorization checks in specific API controllers.
3 views•5 min read
•about 14 hours ago•GHSA-V8W9-8MX6-G223
6.5GHSA-v8w9-8mx6-g223: Prototype Pollution in Hono parseBody Utility
The Hono web framework contains a Prototype Pollution vulnerability (CWE-1321) within its `parseBody` utility. When the `{ dot: true }` configuration option is enabled, insufficient validation of form data keys allows unauthenticated attackers to inject arbitrary properties into the global `Object.prototype`. This manipulation affects all objects within the Node.js runtime environment.
4 views•6 min read
•about 15 hours ago•GHSA-J443-WCQQ-XPRH
10.0CVE-2025-68121: TLS Session Resumption Trust Bypass in Go crypto/tls
A critical vulnerability in the Go standard library's crypto/tls package allows attackers to bypass updated Certificate Authority (CA) trust stores during TLS session resumption. Applications that dynamically mutate TLS configurations, such as the Terraform Provider for SendGrid, may inadvertently accept connections from entities whose certificates have been explicitly revoked or removed from the active trust configuration.
9 views•5 min read
•about 19 hours ago•GHSA-VHJ5-X93P-67JW
6.1GHSA-vhj5-x93p-67jw: Host Header Poisoning and Open Redirect in actix-web-lab
The actix-web-lab crate prior to version 0.26.0 contains a host header poisoning vulnerability in its redirect middleware components. Attackers can manipulate the incoming HTTP Host header or forwarding headers to dictate the Location header in the application's redirect responses. This mechanism results in an Open Redirect vulnerability, allowing attackers to route users to arbitrary, untrusted domains.
5 views•5 min read