RustSec Advisory

Impact Vulnerability Type: Improper Control of Generation of Code 'Code Injection' CWE-94 / Improper Check for Unusual or Exceptional Conditions CWE-754 / Improper Input Validation CWE-20 / Use of Low-Level Functionality CWE-695 / Improper Privilege Management CWE-269 / External Control of System...

RUSTSEC-2026-0038 RustSec Advisory

Impact Vulnerability Type: Improper Control of Generation of Code 'Code Injection' CWE-94 / Improper Check for Unusual or Exceptional Conditions CWE-754 / Improper Input Validation CWE-20 / Use of Low-Level Functionality CWE-695 / Improper Privilege Management CWE-269 / External Control of System...

PT-2026-24192

Name of the Vulnerable Software and Affected Versions rssn versions prior to 0.2.9 Description The rssn scientific computing library for Rust has an issue in its JIT Just-In-Time compilation engine, which is exposed through the CFFI Foreign Function Interface. Insufficient input validation and...

CVE-2026-29783

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent e.g., via prompt injection through repository files, MCP server...

CVE-2026-30860

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within...

CVE-2026-30860 WeKnora: Remote Code Execution via SQL Injection Bypass in AI Database Query Tool

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a remote code execution RCE vulnerability exists in the application's database query functionality. The validation system fails to recursively inspect child nodes within...

CVE-2026-29186

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the...

CVE-2026-29186 @backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the...

CVE-2026-29186 @backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the...

CVE-2026-29186

Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the...

Black's vulnerable version parsing leads to RCE in GitHub Action

Impact Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. Th...

Arbitrary Code Injection

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

PT-2026-24654

Name of the Vulnerable Software and Affected Versions Black versions prior to 26.3.0 Description Black is a Python code formatter that provides a GitHub action for code formatting. The action supports an option, use pyproject: true, to read the Black version from the repository's pyproject.toml...

CVE-2026-29089

TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the searchpath setting to locate unqualified database objects tables, functions, operators. If the searchpath includes user-writable...

CVE-2026-29783

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent e.g., via prompt injection through repository files, MCP server...

CVE-2026-29089 TimescaleDB uses untrusted search path during extension upgrade

TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the searchpath setting to locate unqualified database objects tables, functions, operators. If the searchpath includes user-writable...

CVE-2026-29089 TimescaleDB uses untrusted search path during extension upgrade

TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the searchpath setting to locate unqualified database objects tables, functions, operators. If the searchpath includes user-writable...

EUVD-2026-10049

GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution...

GHSA-G8R9-G2V8-JV6F GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution

Summary A security vulnerability has been identified in GitHub Copilot CLI's shell tool that could allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent e.g., via prompt injection through repository files...

CVE-2026-29783

The CVE concerns GitHub Copilot CLI shell tool pre-0.0.423. Affected: Copilot CLI versions up to and including 0.0.422. Issue: the shell safety assessment misclassifies certain bash parameter expansion patterns as read-only, allowing arbitrary code execution when an attacker can influence the com...