CVE-2026-37630

The connected sources confirm a vulnerability in QuickJS-NG v0.12.1 that allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function. Impact per metrics is CVSS v3.1 base score 7.3 (HIGH), with network attack vector, low complexity, no privileges required, and no user i...

Unity Linux 20.1060e / 20.1070e Security Update: ruby (UTSA-2026-017539)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017539 advisory. In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. Tenable has...

CVE-2026-31253

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

ALSA-2026:15888 Important: openexr security update

OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. Security Fixes:...

WordPress plugin Custom css-js-php 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

CosyVoice 安全漏洞

CosyVoice is an open-source voice generation and AI voice cloning platform developed by FunAudioLLM. There was a security vulnerability in the previous version of CosyVoice. This vulnerability stemmed from the model loading component using torch.load to load model weight files without enabling th...

FlashAttention 安全漏洞

FlashAttention is an efficient and memory-efficient attention mechanism implementation tool open-sourced by Dao AI Lab. There is a security vulnerability in FlashAttention, which stems from the checkpoint loading mechanism using torch.load to load checkpoint files without enabling the...

QuickJS 安全漏洞

QuickJS is a small and embeddable JavaScript engine developed by the QuickJS open-source project. Version 0.12.1 of QuickJS contains a security vulnerability, which stems from a problem with the jsmappedargumentsmark function. This vulnerability could allow attackers to execute arbitrary code...

CVE-2026-37630

An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the jsmappedargumentsmark function...

CVE-2026-31250

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its averagemodel.py model averaging tool. The script loads PyTorch checkpoint files epoch.pt for model averaging using torch.load without enabling the...

CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

CVE-2026-31253

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

PT-2026-39637

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

CVE-2026-37630

An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the jsmappedargumentsmark function...

PT-2026-39634

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its make parquet list.py data processing tool. The script loads PyTorch .pt files utterance embeddings, speaker embeddings, speech tokens using torch.load withou...

PT-2026-39832

An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js mapped arguments mark function...

PT-2026-39693

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : OpenJPEG vulnerability (USN-8252-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8252-1 advisory. It was discovered that OpenJPEG did not properly handle memory when encoding image files. An attacker could use this issue to caus...

ALSA-2026:15887 Important: openexr security update

OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. Security Fixes:...

Important: openexr security update

OpenEXR is an open-source high-dynamic-range floating-point image file format for high-quality image processing and storage. This document presents a brief overview of OpenEXR and explains concepts that are specific to this format. This package containes the binaries for OpenEXR. Security Fixes:...