Monthly
Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.
DNS rebinding attacks can bypass same-origin policy in Model Context Protocol (MCP) Go SDK versions prior to 1.4.0, enabling malicious websites to send unauthorized requests to localhost HTTP servers. Affects servers using StreamableHTTPHandler or SSEHandler when run without authentication on localhost. No public exploit identified at time of analysis, though the attack technique (DNS rebinding) is well-documented. CVSS scoring unavailable, but real-world risk is constrained to non-recommended configurations lacking authentication.
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability (CWE-1188) that allows local attackers with low privileges to execute arbitrary code on the host system by exploiting disabled OS-level sandbox protections in the Chromium browser container. The vulnerability does not require a sandbox escape, making exploitation straightforward for local users. A patch is available from the vendor, and the issue was reported by VulnCheck with references to GitHub security advisories and patch commits.
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).
Default password in Himmelblau Azure Entra ID suite 3.0.0-3.0.x. CVSS 10.0.
Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. [CVSS 7.5 HIGH]
AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the service by sending malformed data to the default HTTP port. Attackers can establish multiple socket connections and transmit invalid payloads to exhaust server resources and cause service unavailability. [CVSS 7.5 HIGH]
Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.
Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.
Authentication bypass in OpenPLC_V3 allows unauthenticated remote attackers to gain unauthorized system access through insecurely configured API endpoints. The vulnerability stems from insecure default resource initialization (CWE-1188), enabling complete circumvention of authentication mechanisms. Attackers can exploit this over the network with low attack complexity to achieve high confidentiality, integrity, and availability impact across vulnerable and subsequent systems. No public exploit identified at time of analysis.
DNS rebinding attacks can bypass same-origin policy in Model Context Protocol (MCP) Go SDK versions prior to 1.4.0, enabling malicious websites to send unauthorized requests to localhost HTTP servers. Affects servers using StreamableHTTPHandler or SSEHandler when run without authentication on localhost. No public exploit identified at time of analysis, though the attack technique (DNS rebinding) is well-documented. CVSS scoring unavailable, but real-world risk is constrained to non-recommended configurations lacking authentication.
NVIDIA Jetson system initialization flaw allows authenticated remote attackers to exploit insecure default machine IDs, enabling cross-device information disclosure of encrypted data and tampering. Affects JetPack on Xavier and Orin series devices. CVSS 8.3 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV status not present). The vulnerability enables attackers with low-level privileges to compromise multiple devices sharing identical default machine identifiers, undermining cryptographic protections and system integrity across the device fleet.
OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability (CWE-1188) that allows local attackers with low privileges to execute arbitrary code on the host system by exploiting disabled OS-level sandbox protections in the Chromium browser container. The vulnerability does not require a sandbox escape, making exploitation straightforward for local users. A patch is available from the vendor, and the issue was reported by VulnCheck with references to GitHub security advisories and patch commits.
WWBN AVideo open source video platform versions 25.0 and below ship with a hardcoded default administrator password ('password') in official Docker deployment files that is automatically used during installation without any forced change mechanism. Attackers can gain immediate administrative access to unpatched instances, enabling user data exposure, content manipulation, and potential remote code execution via file upload and plugin management features. The issue is compounded by weak MD5 password hashing and similarly insecure default database credentials (avideo/avideo).
Default password in Himmelblau Azure Entra ID suite 3.0.0-3.0.x. CVSS 10.0.
Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. [CVSS 7.5 HIGH]
AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the service by sending malformed data to the default HTTP port. Attackers can establish multiple socket connections and transmit invalid payloads to exhaust server resources and cause service unavailability. [CVSS 7.5 HIGH]
Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.
Hardcoded/insecure credentials in IDC SFX Series SuperFlex Satellite Receiver. Multiple accounts with known credentials enable complete device takeover.