432 articles
CVE-2025-69691 (CVSS 9.9) in Netgate pfSense CE 2.8.0 lets authenticated admins execute arbitrary PHP via XMLRPC's pfsense.exec_php; Netgate disputes the severity.
CVE-2022-50994 (CVSS 8.1): Unauthenticated attackers can inject shell commands via the formpassword parameter in the CGI login handler of DrayTek Vigor 2960 routers running...
A typosquatted OpenAI repository reached #1 on Hugging Face with 244,000 downloads, delivering a Rust-based infostealer that targets browser credentials, crypto wallets, and VPN...
CVE-2024-51092 (CVSS 9.1): LibreNMS before 24.10.0 allows unauthenticated remote attackers to execute arbitrary OS commands via AboutController.php, SettingsController.php, and...
CVE-2024-27686 (CVSS 7.5) affects MikroTik RouterOS x86 versions 6.40.5 through 6.49.10 — a crafted SMB packet on TCP 445 triggers a device crash. No authentication required.
CVE-2026-44339 (CVSS 8.6) in PraisonAI multi-agent framework lets agents resolve undeclared tool names against module globals, enabling arbitrary Python execution.
CVE-2026-8136 (CVSS 3.3) enables remote stored XSS in SourceCodester Pharmacy Sales and Inventory System 1.0 via the Name parameter in /index.php?page=users.
CVE-2022-23961 (CVSS 6.1) in Thruk Monitoring through 2.46.3 enables unauthenticated reflected XSS via the login field, risking session theft for admins.
CVE-2024-46508 (CVSS 7.5) in Yeti platform before 2.1.12 lets attackers forge valid JWT tokens when the default secret key is unchanged — full account takeover risk.
Braintrust disclosed a breach on May 4 where attackers accessed an AWS account, compromising AI provider API keys for firms like Box and Stripe. At least one customer affected.
CVE-2026-7891 in DIVD's VerySecureApp (Mendix Studio Pro 11.8.0 Beta) exposes all stored records to anonymous users via an authorization misconfiguration — no access rights...
CVE-2026-8106: Reflected HTML injection in GitHub Enterprise Server Management Console login page enables credential theft via crafted redirect_to parameter.
