Aggregator

TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise

The Hackers News
2 weeks 5 days ago
TeamPCP, the threat actor behind the recent compromises of Trivy and KICS, has now compromised a popular Python package named litellm, pushing two malicious versions containing a credential harvester, a Kubernetes lateral movement toolkit, and a persistent backdoor. Multiple security vendors, including Endor Labs and JFrog, revealed that litellm versions 1.82.7 and 1.82.8 were published on March
The Hacker News

CVE-2026-33400 | ellite Wallos up to 4.6.x Statistics Page payment cross site scripting

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability has been found in ellite Wallos up to 4.6.x and classified as problematic. The affected element is the function payment of the component Statistics Page. This manipulation causes cross site scripting. This vulnerability is handled as CVE-2026-33400. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.
vuldb.com

CVE-2026-33401 | ellite Wallos up to 4.6.x AI Recommendations Endpoint AI Ollama host server-side request forgery

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability, which was classified as critical, was found in ellite Wallos up to 4.6.x. Impacted is an unknown function of the component AI Recommendations Endpoint. The manipulation of the argument AI Ollama host results in server-side request forgery. This vulnerability is known as CVE-2026-33401. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.
vuldb.com

CVE-2026-33407 | ellite Wallos up to 4.6.x Endpoint search.php HTTP_PROXY/HTTPS_PROXY server-side request forgery

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability, which was classified as critical, has been found in ellite Wallos up to 4.6.x. This issue affects some unknown processing of the file endpoints/logos/search.php of the component Endpoint. The manipulation of the argument HTTP_PROXY/HTTPS_PROXY leads to server-side request forgery. This vulnerability is traded as CVE-2026-33407. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.
vuldb.com

CVE-2026-33399 | ellite Wallos up to 4.6.x Notifications validate_webhook_url_for_ssrf server-side request forgery

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability classified as critical was found in ellite Wallos up to 4.6.x. This vulnerability affects the function validate_webhook_url_for_ssrf of the component Notifications Handler. Executing a manipulation can lead to server-side request forgery. This vulnerability appears as CVE-2026-33399. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.
vuldb.com

HackerOne Data Breach – Employees Data Stolen Following Navia Hack

Cyber Security News
2 weeks 5 days ago

HackerOne recently disclosed a data breach affecting 287 of its employees following a cyberattack on its U.S. benefits administrator, Navia Benefit Solutions. The breach stemmed from a Broken Object Level Authorization (BOLA) vulnerability in Navia’s API, which exposed the sensitive personal and health information of approximately 2.7 million individuals nationwide. An unknown threat actor exploited […]

The post HackerOne Data Breach – Employees Data Stolen Following Navia Hack appeared first on Cyber Security News.

Guru Baran

CVE-2026-33161 | Craft CMS up to 4.17.7/5.9.13 Endpoint information disclosure

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability classified as problematic has been found in Craft CMS up to 4.17.7/5.9.13. This affects an unknown part of the component Endpoint. Performing a manipulation results in information disclosure. This vulnerability is reported as CVE-2026-33161. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.
vuldb.com

CVE-2026-33340 | ParisNeo lollms-webui up to 8c5dcef63d847bb3d027ec74915d8fe4afd3014e Web User Interface missing authentication (GHSA-mcwr-5469-pxj4)

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability described as critical has been identified in ParisNeo lollms-webui up to 8c5dcef63d847bb3d027ec74915d8fe4afd3014e. Affected by this issue is some unknown functionality of the component Web User Interface. Such manipulation leads to missing authentication. This vulnerability is documented as CVE-2026-33340. The attack can be executed remotely. There is not any exploit available.
vuldb.com

CVE-2025-11571 | Silabs Simplicity Installer tool for Simplicity Studio v6 os command injection (EUVD-2025-208962)

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability was found in Silabs Simplicity Studio v5 and Simplicity Installer tool for Simplicity Studio v6. It has been rated as critical. The impacted element is an unknown function. Performing a manipulation results in os command injection. This vulnerability is identified as CVE-2025-11571. The attack can be initiated remotely. There is not any exploit available.
vuldb.com

CVE-2026-33157 | Craft CMS up to 5.9.12 cleanseConfig fieldLayouts externally-controlled input to select classes or code

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability was found in Craft CMS up to 5.9.12. It has been declared as problematic. The affected element is the function cleanseConfig. Such manipulation of the argument fieldLayouts leads to use of externally-controlled input to select classes or code. This vulnerability is referenced as CVE-2026-33157. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2026-32854 | LibVNC Server up to 0.9.15 HTTP Proxy httpd.c httpProcessInput null pointer dereference

VulDB Recent Entries
2 weeks 5 days ago
A vulnerability was found in LibVNC Server up to 0.9.15. It has been classified as problematic. Impacted is the function httpProcessInput of the file httpd.c of the component HTTP Proxy Handler. This manipulation causes null pointer dereference. The identification of this vulnerability is CVE-2026-32854. It is possible to initiate the attack remotely. There is no exploit available. To fix this issue, it is recommended to deploy a patch.
vuldb.com

Managed ad