•about 10 hours ago•CVE-2026-48166
5.3CVE-2026-48166: Timing-Based User Enumeration on Login Page in Filament
An observable timing discrepancy vulnerability (CWE-208) in Filament's administrative login page allows unauthenticated remote attackers to determine the existence of registered email addresses. This timing side-channel arises from short-circuiting logic that skips expensive password hashing checks when a queried email address is not found in the database. Attackers can execute statistical timing attacks to map active administrator accounts, facilitating subsequent targeted brute-force or credential-stuffing campaigns.
7 views•6 min read
•about 10 hours ago•CVE-2026-48167
6.4CVE-2026-48167: Stored Cross-Site Scripting (XSS) via Attribute Injection in Filament ImageColumn and ImageEntry
Filament's ImageColumn (used in tables) and ImageEntry (used in infolists) components render database values inside HTML attributes without validation or sanitization. This allows an attacker to inject arbitrary HTML attributes, leading to Stored Cross-Site Scripting (XSS).
9 views•5 min read
•about 11 hours ago•CVE-2026-48480
6.6CVE-2026-48480: Undetected Stream Truncation in netty-incubator-codec-ohttp
The Netty incubator codec for Oblivious HTTP (OHTTP) fails to verify that a cryptographically signed final chunk is received before the outer HTTP body terminates. This missing validation allows an on-path adversary to truncate chunked-OHTTP messages cleanly at a non-final chunk boundary, leading to undetected data truncation and compromising message integrity. The vulnerability affects multiple versions of the maven package io.netty.incubator:netty-incubator-codec-ohttp prior to 0.0.22.Final.
6 views•7 min read
•about 11 hours ago•CVE-2026-48488
2.7CVE-2026-48488: Weak Cryptographic Hash (SHA-1) Usage for Attachment Encryption Keys in phpMyFAQ
Prior to version 4.1.4, phpMyFAQ used the cryptographically broken SHA-1 algorithm to hash custom attachment encryption keys stored in the database. Attackers with database access can recover these plaintext keys through offline brute-force attacks and subsequently decrypt sensitive file attachments.
6 views•7 min read
•about 12 hours ago•CVE-2026-48493
5.5CVE-2026-48493: Self-Privilege Escalation via Profile Modification in Snipe-IT
A privilege escalation vulnerability in Snipe-IT versions prior to 8.6.0 allows authenticated users with profile-editing capabilities to elevate their own permissions by performing a PATCH request on their own user endpoint.
7 views•5 min read
•about 13 hours ago•CVE-2026-48500
6.5CVE-2026-48500: Unauthenticated File Upload and Resource Exhaustion in Filament Admins
CVE-2026-48500 is an authorization bypass vulnerability within Filament, a full-stack Laravel administration panel suite. The flaw arises from the unauthenticated exposure of Livewire's file upload RPC endpoints on guest-facing pages, allowing remote actors to upload arbitrary files to temporary storage, potentially leading to storage exhaustion and service disruption.
7 views•7 min read
•about 14 hours ago•GHSA-WCMJ-X466-56MM
6.1GHSA-WCMJ-X466-56MM: Arbitrary File Write via UNIX Symbolic Link Following in OpenTofu
A UNIX symbolic link following vulnerability exists in the provider cache installation mechanism of OpenTofu. This flaw allows an attacker with control over the repository files to write files outside of the intended workspace boundary during initialization.
6 views•6 min read
•about 15 hours ago•CVE-2026-48507
7.1CVE-2026-48507: Incorrect Authorization in Snipe-IT Bulk User Edit and Merge Features
An incorrect authorization vulnerability (CWE-863) in Snipe-IT versions prior to 8.6.0 allows authenticated, low-privileged users with granular 'users.edit' permissions to modify restricted user flags ('activated' and 'ldap_import') and merge high-privileged administrator accounts into standard user accounts. This allows an attacker to lock administrators out of the system or completely hijack administrator accounts.
4 views•8 min read
•about 16 hours ago•GHSA-W2J7-F3C6-G8CW
4.7GHSA-w2j7-f3c6-g8cw: Open Redirect Bypass via Parser Differential in Flask-Security
An open redirect vulnerability exists in Flask-Security versions up to and including 5.8.0. This flaw allows remote, unauthenticated attackers to perform open redirects by exploiting a parser differential between Python's standard library urlsplit() function and modern web browsers when subdomain redirection is allowed.
5 views•8 min read
•about 19 hours ago•CVE-2026-49205
6.5CVE-2026-49205: Missing Authorization in phpMyFAQ Public REST API Write Endpoints
An incomplete security patch for CVE-2026-24421 in phpMyFAQ allows authenticated low-privileged users to bypass role-based access controls. While the initial patch addressed missing authorization in the BackupController, it left four critical write-enabled endpoints vulnerable. This allows remote attackers with a valid low-privilege API token to perform unauthorized data modifications, creating categories, creating FAQs, updating FAQs, and injecting questions directly into the database.
8 views•5 min read
•1 day ago•GHSA-74P7-6H78-GW8P
8.6GHSA-74P7-6H78-GW8P: Multiple Critical Security Flaws in skillctl Agent-Skill Manager
An in-depth security audit of the skillctl command-line package manager revealed five critical and high-severity security vulnerabilities. The identified flaws span parameter-level command argument injection via the source_sha parameter, uncontrolled resource consumption (Denial of Service) through unnamed UNIX FIFOs and character devices, directory path traversal in the destination argument, commit-message trailer forgery via newline injection in skill names, and local credential exfiltration leveraging UNIX hardlinks. These vulnerabilities represent significant vectors for workstation compromise when executing agentic tasks in repositories containing untrusted files or pull requests. Remediation was introduced in version v0.1.3.
6 views•6 min read
•1 day ago•CVE-2026-48153
8.5CVE-2026-48153: Server-Side Request Forgery in Budibase OAuth2 SDK
CVE-2026-48153 is a Server-Side Request Forgery (SSRF) vulnerability in the Budibase OAuth2 SDK prior to version 3.39.0. It allows authenticated low-privileged users to bypass outbound network security blacklists and send arbitrary requests to internal subnets or cloud metadata services.
10 views•7 min read