CVE-2026-44972

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

CVE-2026-45036

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

CVE-2026-45244

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

SUSE-SU-2026:1941-1 Security update for sed

This update for sed fixes the following issue: - CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file bsc1262144...

EUVD-2026-30567

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

CVE-2026-45036

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

SUSE-SU-2026:1699-1 Security update for sed

This update for sed fixes the following issue: - CVE-2026-5958: a TOCTOU race can allow to read attacker-controlled content and write it to an unintended file bsc1262144...

CVE-2026-22676

Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory. Attackers can modify existing automation content or place...

CVE-2026-27674

An unauthenticated code injection flaw in SAP NetWeaver Application Server Java (Web Dynpro Java) could allow a crafted input to cause the application to reference attacker‑controlled content, leading to execution of client‑side code in the victim’s browser and potential session compromise. Affec...

PT-2026-32554

Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java Web Dynpro Java, an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, th...

CVE-2026-5704

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

CVE-2026-2919

CVE-2026-2919 affects Focus for iOS. The issue arises from malicious scripts manipulating navigation and iframe behavior to display attacker-controlled or spoofed content under a trusted domain without user interaction. Impact stated as UI could present a spoofed domain; vulnerability fixed in Fo...

EUVD-2026-0757

Emlog is an open source website building system. In version 2.5.23, article creation functionality is vulnerable to cross-site request forgery CSRF. This can lead to a user being forced to post an article with arbitrary, attacker-controlled content. This, when combined with stored cross-site...

WeKan 安全漏洞

WeKan is a Kanban application from the WeKan open source. A security vulnerability exists in WeKan version 18.15 and earlier, which stems from the fact that uploaded attachments can use an attacker-controlled Content-Type, which could lead to the execution of attacker-supplied HTML or JS...

User Interface (UI) Misrepresentation of Critical Information

Overview drupal/core is an an open source content management platform powering millions of websites and applications. Affected versions of this package are vulnerable to User Interface UI Misrepresentation of Critical Information. An attacker who convinces a user to follow a malicious link can...

CVE-2025-56551

An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request...

EUVD-2019-5082

Malware in sbrugna...

EUVD-2023-58900

Malicious code in bioql PyPI...

CVE-2025-56551

An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request...

CVE-2025-56551

An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the legitimate login interface with arbitrary attacker-controlled content via supplying a crafted GET request...