Category: alerts
Category Added in a WPeMatico Campaign
-
Vulnerability Summary for the Week of July 6, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info 1Panel-dev–MaxKB MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chat_pipeline/step/chat_step/impl/base_chat_step.py do not consistently validate MCP transport type, allowing an authenticated user to import a .tool file containing stdio transport with… Read more
-
Vulnerability Summary for the Week of June 29, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info @fastify/express–@fastify/express @fastify/express versions 4.0.6 and earlier only rewrite the plugin prefix for middleware mount paths when the path argument is a string. Non-string mount paths (arrays of paths and regular expressions) are left unprefixed inside prefixed plugin scopes, so middleware registered with those forms… Read more
-
Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting
Russian Government-Sponsored Activity Targets Poorly Configured and Vulnerable Devices Across Critical Sectors Executive summary Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices,… Read more
-
Vulnerability Summary for the Week of June 22, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info abhisheksaha11–URL Preview The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the ‘url’ parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web… Read more
-
Vulnerability Summary for the Week of June 15, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info 10Web–Form Maker by 10Web Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. 2026-06-15 9.3 CVE-2026-39502 404-redirection-manager–404 Redirection Manager The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL… Read more
-
CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials. This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways. To defend against this… Read more
-
Vulnerability Summary for the Week of June 8, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info AdguardTeam–AdGuardHome AdGuard Home, when started with the –glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within… Read more
-
Vulnerability Summary for the Week of June 1, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info 10Web–Photo Gallery by 10Web Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in 10Web Photo Gallery by 10Web allows Blind SQL Injection. This issue affects Photo Gallery by 10Web: from n/a through 1.8.41. 2026-06-04 7.6 CVE-2026-49771 AAM Plugin–Advanced Access… Read more
-
Vulnerability Summary for the Week of May 25, 2026
High Vulnerabilities PrimaryVendor — Product Description Published CVSS Score Source Info 1Panel-dev–MaxKB MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB’s webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth class unconditionally returns (None, {}), which Django REST Framework interprets as successful authentication. Combined with optional per-trigger token verification and no… Read more
-
Supply Chain Compromises Impact Nx Console and GitHub Repositories
CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development (CI/CD) pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code (VS Code) extension and the “Megalodon” supply chain intrusion campaign, demonstrate how cyber threat actors are abusing tools and… Read more
