EUVD-2026-33364

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resourcetoken cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protection...

CVE-2026-9809

A stored Cross-Site Scripting XSS vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views such as campaigns, emails, or forms, user-supplied project names are rendered without proper sanitization. An authenticated user...

CVE-2026-40818 Unauthenticated SQLi in _mb24confi_getDevice function function

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24configetDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

MAL-2026-4656 Malicious code in raise-common-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7401fb7c3259e43181ef51ca47b984450f7a849fed5a9598e6131b4c0ed5d2bb The package's rich-text editor module hardcodes an Azure OpenAI endpoint https://aidevused.openai.azure.com/ and an api-key in...

CVE-2026-39964 TypeBot: Stored XSS via javascript: URI in text bubble links — bot author executes JS on visitors' browsers

TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer packages/embeds/js renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor's browser...

Exploit for Code Injection in Anthropic Claude_Code

CVE-2025-59536 PoC Remote Code Execution via Claude Code Pr...

CVE-2026-2393

A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...

CVE-2026-28201

Open Notebook v1.8.1 is affected by CVE-2026-28201 due to improper input validation and a permissive default CORS policy. A remote attacker can trick a legitimate user into altering or deleting arbitrary database entries via a specially crafted URL, with data exfiltration possible depending on de...

CVE-2025-31978

HCL BigFix Service Management SM does not adequately sanitize or safely render spreadsheet files CSV, XLS, XLSX before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when...

CVE-2025-31978

CVE-2025-31978 : HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. The underlying issue may allow an attacker to craft data fields that, when saved to a CSV, could trigger information exfiltr...

PYSEC-2026-77

LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.splittextfromurl validated the initial URL using validatesafeurl but then performed the fetch with requests.get with redirects enabled the default. Because...

Vertex AI Vulnerability Exposes Google Cloud Data and Private Artifacts

Cybersecurity researchers have disclosed a security "blind spot" in Google Cloud's Vertex AI platform that could allow artificial intelligence AI agents to be weaponized by an attacker to gain unauthorized access to sensitive data and compromise an organization's cloud environment. According to...

CVE-2026-33723

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the Subscribe::save method in objects/subscribe.php concatenates the $this-usersid property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from...

Quill vulnerable to SSRF via unvalidated URL from Apple notarization log retrieval

Impact Quill before version v0.7.1 contains a Server-Side Request Forgery SSRF vulnerability when attempting to fetch the Apple notarization submission logs. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not possible under standard network...

CVE-2026-30951 Sequelize v6 Vulnerable to SQL Injection via JSON Column Cast Type

Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The traverseJSON function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST... AS SQL. An attacker who controls JSON object...

CVE-2026-1567 IBM InfoSphere Information Server is affected by an XML external entity injection (XXE) vulnerability

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 An XML External Entity XXE vulnerability in IBM InfoSphere Information Server could allow attackers to retrieve sensitive information from the server...

MAL-2026-1019 Malicious code in spark-audit-notify (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1c527925d1e7cb4055b6c154326cd54a713ad543349c2b3b6f8ab8f0d75e8cbe During installation, host identification details including AD domain are exfiltrated through a series of functions obfuscating this behavior. --- Category:...

CVE-2026-24052

Summary: CVE-2026-24052 affects Claude Code prior to 1.0.111, where URL validation in the trusted-domain check for WebFetch used a startsWith() approach, allowing crafted domains (e.g., modelcontextprotocol.io.example.com) to bypass validation and potentially cause automatic requests to attacker‑...

CVE-2025-13744

An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component search across GitHub that could be used to exfiltrate sensitive information. An attacker would requi...

CVE-2025-13744 Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed rendering of malicious HTML

An Improper Neutralization of Input During Web Page Generation vulnerability was identified in GitHub Enterprise Server that allowed attacker controlled HTML to be rendered by the Filter component search across GitHub that could be used to exfiltrate sensitive information. An attacker would requi...