Overview
- Amazon Web Services
- Language Servers for AWS
23 Jun 2026
Published
23 Jun 2026
Updated
CVSS v4.0
HIGH (8.5)
EPSS
0.14%
KEV
Description
Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.
To remediate this issue, users should upgrade to version 1.69.0 or higher.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- arraytics
- Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered)
14 Apr 2026
Published
14 Apr 2026
Updated
CVSS v3.1
MEDIUM (4.3)
EPSS
0.18%
KEV
Description
The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.
Statistics
- 1 Post
Last activity: 21 hours ago
Overview
Description
HVM guest I/O port accesses are subject to either emulation or at least
translation. Translations are managed by the device model (via
XEN_DOMCTL_ioport_mapping), and hence the linked list used may changed
at any time. Traversal of those lists (while handling guest I/O port
accesses) therefore needs synchronizing with updates, which was missing
so far.
Statistics
- 1 Post
Last activity: 23 hours ago
Overview
- Amazon Web Services
- Language Servers for AWS
23 Jun 2026
Published
23 Jun 2026
Updated
CVSS v4.0
HIGH (8.5)
EPSS
0.12%
KEV
Description
Improper trust boundary enforcement in Language Servers for AWS before version 1.65.0 on all supported platforms may allow a for arbitrary code execution. If a local user opens a maliciously crafted workspace, any commands within the project configuration files may be automatically executed. This issue requires the user to trust the workspace when prompted.
To remediate this issue, users should upgrade to Language Servers for AWS version 1.65.0 or higher.
Statistics
- 1 Post
Last activity: 4 hours ago
Overview
- langgenius
- dify
18 May 2026
Published
22 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.45%
KEV
Description
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
Statistics
- 1 Post
Last activity: 22 hours ago
Fediverse
⚠️ CRITICAL: Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps
Four critical vulnerabilities in Dify AI platform (CVE-2026-41947, CVE-2026-41948, CVE-2026-41950) enable unauthorized access to private chats, cross-tenant document theft, and lateral API calls across multi-tenant environments. The platform powers 1 million applications, making this a widespread s…
Overview
- langgenius
- dify
05 May 2026
Published
22 Jun 2026
Updated
CVSS v4.0
MEDIUM (6.0)
EPSS
0.33%
KEV
Description
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit insufficient permission verification in the chat-messages endpoints to access files without ownership validation, bypassing workspace separation and signed URL protections to retrieve sensitive file contents through workflow processing.
Statistics
- 1 Post
Last activity: 22 hours ago
Fediverse
⚠️ CRITICAL: Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps
Four critical vulnerabilities in Dify AI platform (CVE-2026-41947, CVE-2026-41948, CVE-2026-41950) enable unauthorized access to private chats, cross-tenant document theft, and lateral API calls across multi-tenant environments. The platform powers 1 million applications, making this a widespread s…
Overview
Description
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
Description
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Statistics
- 1 Post
Last activity: 2 hours ago
Overview
- langgenius
- dify
18 May 2026
Published
22 Jun 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.51%
KEV
Description
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant's UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker.
Statistics
- 1 Post
Last activity: 22 hours ago
Fediverse
⚠️ CRITICAL: Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps
Four critical vulnerabilities in Dify AI platform (CVE-2026-41947, CVE-2026-41948, CVE-2026-41950) enable unauthorized access to private chats, cross-tenant document theft, and lateral API calls across multi-tenant environments. The platform powers 1 million applications, making this a widespread s…