PYSEC-2026-85

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the searchsend parameter, which is dynamically invoked using the send method. An attacker can execute arbitrary commands on the server by supplying crafted input to this parameter. Remediation Upgrade spree ...

CVE-2025-66939

Cross Site Scripting vulnerability in 66biolinks by AltumCode v.61.0.1 allows an attacker to execute arbitrary code via a crafted favicon file...

(0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The...

CVE-2026-0821

A flaw was found in quickjs-ng. A remote attacker can exploit a heap-based buffer overflow vulnerability in the jstypedarrayconstructor function of the quickjs.c file by executing a specially crafted manipulation. This vulnerability may lead to information disclosure, denial of service, or...

UTT 520W 安全漏洞

The UTT 520W is a wireless router from China Aitai UTT. A security vulnerability exists in the UTT 520W version 1.7.7-180627, which originates from a buffer overflow in the operation of the function strcpy on the parameter timestart in the file /goform/formConfigNoticeConfig, which could lead to...

UTT 520W 安全漏洞

The UTT 520W is a wireless router from China Aitai UTT. A security vulnerability exists in the UTT 520W version 1.7.7-180627, which originates from a buffer overflow in the operation of the function strcpy on the parameter wepkey1 in the file /goform/APSecurity, which could lead to the execution ...

UTT 520W 安全漏洞

UTT 520W is a wireless router from China Aitai UTT. A security vulnerability exists in the UTT 520W version 1.7.7-180627, which originates from a buffer overflow in the operation of the function strcpy on the parameter GroupName in the file /goform/formFireWall, which could lead to the execution ...

CVE-2025-66715

A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file...

[SECURITY] [DSA 6097-1] chromium security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6097-1 [email protected] https://www.debian.org/security/ Andres Salomon January 09, 2026 https://www.debian.org/security/faq -...

CVE-2026-22609

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

QuickJS 安全漏洞

QuickJS is QuickJS open source a small and embeddable Javascript engine . A security vulnerability exists in QuickJS 0.11.0 and earlier versions, which is caused by a heap buffer overflow in the function jstypedarrayconstructor in the file quickjs.c, which could lead to the execution of arbitrary...

Arbitrary Code Injection

Overview uni2ts is an Unified Training of Universal Time Series Forecasting Transformers Affected versions of this package are vulnerable to Arbitrary Code Injection via the decodedistroutput function. An attacker can execute arbitrary code by supplying crafted input that is improperly handled...

Deserialization of Untrusted Data

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the analysis of pickle files, where import nodes for certain modules such as builtins are not emitted in the abstract syntax...

CVE-2025-66715

A DLL hijacking vulnerability in Axtion ODISSAAS ODIS v1.8.4 allows attackers to execute arbitrary code via a crafted DLL file...

CVE-2025-70161

EDIMAX BR-6208AC V21.02 is vulnerable to Command Injection. This arises because the pppUserName field is directly passed to a shell command via the system function without proper sanitization. An attacker can exploit this by injecting malicious commands into the pppUserName field, allowing...

CVE-2005-1434

Multiple unknown vulnerabilities in OpenView Network Node Manager OV NNM 6.2, 6.4, 7.01, and 7.50 allow attackers to cause a denial of service or execute arbitrary code...

CVE-2005-1580

users.ini.php in BoastMachine 3.0 does not properly restrict the types of files that can be uploaded, which allows remote attackers to execute arbitrary code...

CVE-2005-1881

upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code...

CVE-2005-1976

Novell NetMail 3.5.2a, 3.5.2b, and 3.5.2c, when running on Linux, sets the owner and group ID to 500 for certain files, which could allow users or groups with that ID to execute arbitrary code or cause a denial of service by modifying those files...