CVE-2026-6618

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

CVE-2026-44242

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by Locale, baseName where the locale originates from the HTTP Accept-Language header. In applications that explicitly register a...

CVE-2026-46383

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle probe used by apm install on supported Python 3.10 and 3.11 runtimes. When apm install is given a...

CVE-2026-40944

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates e.g., intermediate + root CA, only the first certificate is loaded...

CVE-2026-40162

Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem locatio...

CVE-2026-44470

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NT...

Security Bulletin: Security Vulnerabilities have been identified in IBM WebSphere Application Server bundled with IBM Financial Transaction Manager for Check Services

Summary IBM WebSphere Application Server is bundled with IBM Financial Transaction Manager v3.0.5.4. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the...

Exploit for Prototype Pollution in Cure53 Dompurify

DOMPurify re-clone bypass. Instead of relying on easily str...

Security update 5.0.8 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: Security issues fixed: CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service bsc1259554 CVE-2026-27459: pyOpenSSL: Fixed issue with large cookie value that can lead to a buffer overflow...

Security update 5.0.8 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: Security issues fixed: CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service bsc1259554 CVE-2026-27459: pyOpenSSL: Fixed issue with large cookie value that can lead to a buffer overflow...

SUSE-SU-2026:2242-1 Security update 5.0.8 for Multi-Linux Manager Salt Bundle

This update fixes the following issues: venv-salt-minion: - Security issues fixed: - CVE-2026-31958: tornado: Fixed parsing large multipart bodies with many parts can cause a denial of service bsc1259554 - CVE-2026-27459: pyOpenSSL: Fixed issue with large cookie value that can lead to a buffer...

Cross-site Scripting (XSS)

Overview org.apache.activemq:activemq-all is a package that puts together an ActiveMQ jar bundle. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the MessageServlet component. An attacker can inject arbitrary HTTP response headers by setting malicious JMS message...

Malicious Package

Overview chai-bundle is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

Malicious code in chai-bundle (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5110f40393583ef41ebcfa3558d782310a40a78227a040480d871c25311b79ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-5059 Malicious code in chai-bundle (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5110f40393583ef41ebcfa3558d782310a40a78227a040480d871c25311b79ec Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Admidio PKCS#12 private key export action lacks CSRF protection

Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a...

stunnel bug fix update

An update is available for stunnel. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Stunnel is a wrapper for network connections. It can be used to tunnel an...

PT-2026-45042

Summary The sensitive mode=export action in modules/sso/keys.php exports a PKCS12 bundle containing the configured private key and certificate, but the CSRF validation line is commented out. A forged cross-site POST from an administrator session can therefore trigger private key export without a...

GHSA-3234-GXC3-PQ6F Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...

Pimcore Vulnerable to SQL Injection in Custom Reports Column Configuration

Summary The columnConfigAction endpoint in the CustomReportsBundle is vulnerable to SQL injection. An attacker with the reportsconfig permission can supply a malicious SQL configuration that is concatenated into a query and executed. Although the application attempts to filter certain DDL/DML...