Lucene search
K

941 matches found

OSV
OSV
added 2026/05/03 9:58 a.m.8 views

OESA-2026-2195 python-nbconvert security update

The nbconvert tool, jupyter nbconvert, converts notebooks to various other formats via Jinja templates. The nbconvert tool allows you to convert an .ipynb notebook file into various static formats including HTML, LaTeX, PDF, Reveal JS, Markdown md, ReStructured Text rst and executable script...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/01 12:0 a.m.9 views

Bitwarden CLI 操作系统命令注入漏洞

Bitwarden CLI is a command-line password management tool provided by Bitwarden Corporation. Version 2026.4.0 of Bitwarden CLI contains a vulnerability related to operating system command injection, which stems from the embedding of malicious code when retrieving it via npm...

9.8CVSS5.9AI score0.00306EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/04/25 11:39 a.m.6 views

CVE-2026-41305

A flaw was found in PostCSS. This vulnerability allows a remote attacker to perform Cross-Site Scripting XSS by submitting specially crafted CSS. When PostCSS processes and re-stringifies this CSS for embedding within HTML sequences. This oversight enables the injected...

6.1CVSS5.3AI score0.00205EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/04/24 2:27 a.m.5 views

CVE-2026-41305 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

6.1CVSS5.2AI score0.00205EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/24 2:27 a.m.15 views

EUVD-2026-25383

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

6.1CVSS5.2AI score0.00205EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/24 2:27 a.m.36 views

CVE-2026-41305 PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML tags, in CSS...

6.1CVSS0.00205EPSS
Exploits0References2
CVE
CVE
added 2026/04/24 2:27 a.m.112 views

CVE-2026-41305

PostCSS (driver: CSS AST stringify) has an XSS risk in versions prior to 8.5.10 due to unescaped sequences when embedding user CSS into HTML tags. The issue arises when CSS is parsed into an AST and then re-stringified for embedding. Version 8.5.10 fixes the problem. Affected products: PostCSS;...

6.1CVSS5.7AI score0.00205EPSS
Exploits0References2
Packet Storm News
Packet Storm News
added 2026/04/22 12:0 a.m.12 views

Text Steganography with Dynamic Codebook and Multimodal Large Language Model

With the popularity of the large language models LLMs, text steganography has achieved remarkable performance. However, existing methods still have some issues: 1 For the white-box paradigm, this steganography behavior is prone to exposure due to sharing the off-the-shelf language model between...

5.8AI score
Exploits0
Packet Storm News
Packet Storm News
added 2026/04/22 12:0 a.m.9 views

Adaptive Instruction Composition for Automated LLM Red-Teaming

Many approaches to LLM red-teaming leverage an attacker LLM to discover jailbreaks against a target. Several of them task the attacker with identifying effective strategies through trial and error, resulting in a semantically limited range of successes. Another approach discovers diverse attacks ...

5.4AI score
Exploits0
Vulnrichment
Vulnrichment
added 2026/04/21 7:58 p.m.4 views

CVE-2026-40925 WWBN AVideo has CSRF in configurationUpdate.json.php Enables Full Site Configuration Takeover Including Encoder URL and SMTP Credentials

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/configurationUpdate.json.php also routed via /updateConfig persists dozens of global site settings from $POST but protects the endpoint only with User::isAdmin. It does not call forbidIfIsUntrustedRequest, does not...

8.3CVSS5.8AI score0.00173EPSS
Exploits1References2
EUVD
EUVD
added 2026/04/21 5:18 p.m.7 views

EUVD-2026-24025

nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding...

6.5CVSS5.7AI score0.00306EPSS
Exploits0References3
OSV
OSV
added 2026/04/21 5:18 p.m.2 views

GHSA-7JQV-FW35-GMX9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

Summary When HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. Patches Upgrade to...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/21 12:17 a.m.15 views

CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

6.5CVSS5.9AI score0.00306EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 12:17 a.m.28 views

CVE-2026-39378 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

6.5CVSS0.00306EPSS
Exploits0References2
Debian CVE
Debian CVE
added 2026/04/21 12:17 a.m.4 views

CVE-2026-39378

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embedimages=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook...

6.5CVSS5.5AI score0.00306EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2026/04/21 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2026-39378

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when...

6.5CVSS6AI score0.00306EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 10:33 p.m.6 views

External Control of File Name or Path

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to External Control of File Name or Path via improper validation of file paths in the media embedding. An attacker can access arbitrary files on the host system or trigger network credential...

7.1CVSS5.9AI score0.00264EPSS
Exploits0References3
Snyk
Snyk
added 2026/04/17 12:17 a.m.3 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through incomplete sanitization of the README rendering process in the marketplace UI. An attacker can execute arbitrary scripts in the Electron context with full application privileges by embedding an iframe ta...

6.4CVSS5.5AI score0.00261EPSS
Exploits1References2
Packet Storm News
Packet Storm News
added 2026/04/16 12:0 a.m.4 views

Half-Moon Cookie: Private, Similarity-Based Blocklisting with TOCTOU-Attack Resilience

Blocklisting is a common technique for preventing the use of known malicious content. However, conventional blocklisting infrastructures require either the blocklist to be public or clients to reveal their queries to the blocklist server. In this work, we introduce a private blocklisting framewor...

5.8AI score
Exploits0
Packet Storm News
Packet Storm News
added 2026/04/15 12:0 a.m.5 views

VeriCWEty: Embedding Enabled Line-Level CWE Detection in Verilog

Large Language Models LLMs have shown significant improvement in RTL code generation. Despite the advances, the generated code is often riddled with common vulnerabilities and weaknesses CWEs that can slip by untrained eyes. Attackers can often exploit these weaknesses to fulfill their nefarious...

5.8AI score
Exploits0
Rows per page
Query Builder