CVE-2026-3676

IBM Cloud APM, Base Private 8.1.4 and IBM Cloud APM, Advanced Private 8.1.4 IBM Db2 for Linux, UNIX and Windows includes DB2 Connect Server could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in the data query logic of the Fenced...

CVE-2026-44641

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-3676

CVE-2026-3676 : IBM Db2 components bundled with IBM Cloud APM (Base Private 8.1.4/Advanced Private 8.1.4) are vulnerable when used with Linux/UNIX/Windows DB2 builds (including DB2 Connect Server). The issue arises from improper neutralization of special elements in the data query logic within th...

IBM Cloud APM 安全漏洞

IBM Cloud APM is an application performance monitoring and operations analysis platform provided by the American multinational company IBM. There are security vulnerabilities in the IBM Cloud APM Base Private 8.1.4 version and the IBM Cloud APM Advanced Private 8.1.4 version. These vulnerabilitie...

GHSA-MQ5J-PW29-JCV3 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Summary Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a local .tar.gz that is not recognized as a plugin-format bundle, APM probes whether it is a...

CVE-2026-44641

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

CVE-2026-46383

Summary: CVE-2026-46383 affects Microsoft APM prior to 0.13.0, where the legacy-bundle probing during apm install on Windows can mishandle local .tar.gz archives. On Python 3.10/3.11, the probe may extract untrusted tar members with tar.extractall() without rejecting Windows absolute member name...

CVE-2026-46383 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

CVE-2026-46383 Microsoft APM: Windows absolute-path tar member overwrite during legacy-bundle probing in `apm install`

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

CVE-2026-45539 Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

CVE-2026-45539

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

CVE-2026-45539

Microsoft APM (APM CLI) vulnerability affects versions 0.5.4–0.12.4 where two primitive integrators enumerate package files via Path.glob/Path.rglob and read matches with Path.read_text(), following symbolic links. A symlink inside a remote APM dependency under .apm/prompts/ or .apm/agents/ is pr...

CVE-2026-45539 Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree

Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...

EUVD-2026-30562

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-44641

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-44641

CVE-2026-44641 affects Microsoft APM. Before version 0.8.12, the plugin-loading flow copies components listed in plugin.json into the .apm/ directory and does not validate that manifest paths (agents, skills, commands, hooks) stay inside the plugin root. An attacker can supply absolute or ../ tra...

CVE-2026-40067 BIG-IP APM Vulnerability

When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

K000161056: BIG-IP APM vulnerability CVE-2026-40067

Security Advisory Description When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate. CVE-2026-40067 Impact Traffic is disrupted while the apmd process restarts. This vulnerability allows an unauthenticated attacker to cause ...

Microsoft APM CLI's plugin.json component paths escape plugin root and copy arbitrary host files during install

Summary Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but the implementation does not enforce that those paths remain inside the plugin directory. A...