Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

CVE Database V5

Detailed information about CVE-2026-22863: CWE-325: Missing Cryptographic Step in denoland deno affecting denoland deno. Get real-time updates, technical detail

CVE-2026-22863: CWE-325: Missing Cryptographic Step in denoland deno - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-22863: CWE-325: Missing Cryptographic Step in denoland deno

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.

Detailed information about CVE-2026-22864: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in denoland deno affectin

CVE-2026-22864: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in denoland deno - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-22864: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in denoland deno

A stored cross-site scripting (XSS) vulnerability exists in the Altium Workflow Engine due to missing server-side input sanitization in workflow form submission APIs. A regular authenticated user can inject arbitrary JavaScript into workflow data.

When an administrator views the affected workflow, the injected payload executes in the administrator’s browser context, allowing privilege escalation, including creation of new administrator accounts, session token theft, and execution of administrative actions.

Detailed information about CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365 affecti

CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365 - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365

CVE-2025-68671 is an authentication bypass vulnerability in treeverse lakeFS versions prior to 1. 75. 0. The issue arises because the lakeFS S3 gateway does not validate timestamps in signed authenticated requests, allowing attackers to perform replay attacks by resubmitting captured valid requests. This flaw enables unauthorized actions with the privileges of the original request until credentials are rotated. The vulnerability has a CVSS score of 6. 5 (medium severity) and does not require authentication or user interaction to exploit. It affects organizations using lakeFS for managing object storage repositories in a Git-like manner. The vulnerability is fixed in version 1. 75.

CVE-2025-68671 is an authentication bypass vulnerability classified under CWE-294 (Improper Authentication) affecting the open-source project lakeFS by treeverse. lakeFS provides Git-like version control capabilities for object storage, commonly used with S3-compatible storage backends. The vulnerability exists because the lakeFS S3 gateway fails to validate the timestamps embedded in signed requests. Signed requests typically include timestamps to prevent replay attacks by ensuring requests expire after a certain time. However, in versions prior to 1.75.0, lakeFS accepts replayed requests with previously valid signatures regardless of their timestamp, allowing attackers who capture a valid signed request (via network interception, compromised logs, or systems) to replay these requests indefinitely until credentials are rotated. This bypasses the intended authentication controls and can lead to unauthorized access or actions with the privileges of the original request. The vulnerability does not require any privileges or user interaction to exploit and can be performed remotely over the network. The CVSS 3.1 base score is 6.5, reflecting medium severity due to the ease of exploitation and potential confidentiality and integrity impacts, but no direct impact on availability. The issue is resolved in lakeFS version 1.75.0 by adding proper timestamp validation to reject expired requests. No public exploits or active attacks have been reported to date, but the risk remains significant for organizations using vulnerable versions of lakeFS in production environments.

Detailed information about CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS affecting treeverse lakeFS. Get real-time update

CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS

Detailed information about CVE-2026-1012. Get real-time updates, technical details, and mitigation strategies.

CVE-2026-1012

CVE-2026-1012

Technical Details

Community Reviews

Related Threats

CVE-2026-22863: CWE-325: Missing Cryptographic Step in denoland deno

CVE-2026-22864: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in denoland deno

CVE-2026-1010: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium 365

CVE-2025-68671: CWE-294: Authentication Bypass by Capture-replay in treeverse lakeFS

CVE-2026-1009: CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) in Altium Altium Forum (Altium 365)

Actions

External Links

Need more coverage?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility