PT-2026-33729

A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract with bs4/extract with 3k/extract with lxml of the file superagi/helper/webpage extractor.py of the component WebScraperTool. Such manipulation leads to server-side request...

Directory Traversal

Overview com.github.junrar:junrar is a rar decompression library in plain java. Affected versions of this package are vulnerable to Directory Traversal via the createDirectory and createFile methods in LocalFolderExtractor module. An attacker can write arbitrary files to sibling directories by...

GHSA-HF5P-Q87M-CRJ7 Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Summary A path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Example Given an extraction directory set to /tmp/extract, a crafted archive with an entry...

Junrar: Path Traversal (Zip-Slip) via Sibling Directory Name Prefix

Summary A path traversal vulnerability in LocalFolderExtractor allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted. Example Given an extraction directory set to /tmp/extract, a crafted archive with an entry...

article-extractor (=0.5.8), nscraper (>=0.1.0 <=0.1.5) potentially affected by unknown CVE via justhtml (>=1.13.0 <=1.14.0)

justhtml PYPI version =1.13.0, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: SNYK:PYTHON-JUSTHTML-16083990...

any2htpy (=0.1.4), article-extractor (=0.5.8) +1 more potentially affected by unknown CVE via justhtml (>=0.35.0 <=1.14.0)

justhtml PYPI version =0.35.0, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: OSV:GHSA-4P64-V8F5-R2GX...

Amazon Linux 2023 : tracker-miners (ALAS2023-2026-1580)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1580 advisory. A flaw was found in GNOME localsearch MP3 Extractor. When processing specially crafted MP3 files containing ID3v2.4 tags, a missing bounds check in the extractperformerstags function can lead ...

article-extractor (=0.5.8), nscraper (>=0.1.0 <=0.1.5) potentially affected by unknown CVE via justhtml (>=1.13.0 <=1.14.0)

justhtml PYPI version =1.13.0, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: SNYK:PYTHON-JUSTHTML-16032358...

any2htpy (=0.1.4), article-extractor (=0.5.8) +1 more potentially affected by unknown CVE via justhtml (>=0.35.0 <=1.14.0)

justhtml PYPI version =0.35.0, =0.1.0, =0.1.5 Source cves: unknown CVE Source advisory: OSV:GHSA-C9VM-HV86-F23R...

auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-35195 via wasmtime (>=0.10.0 <=1.0.2)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-35195 Source advisory: OSV:GHSA-394W-HWHG-8VGM...

auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-34944 via wasmtime (>=0.10.0 <=1.0.2)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-34944 Source advisory: OSV:GHSA-QQFJ-4VCM-26HV...

auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-34943 via wasmtime (>=0.10.0 <=1.0.2)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-34943 Source advisory: OSV:GHSA-M758-WJHJ-P3JQ...

auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-34941 via wasmtime (>=0.10.0 <=1.0.2)

wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-34941 Source advisory: OSV:RUSTSEC-2026-0093...

accessiqlue (=2025.12.21154255), agent-builder (>=0.0.2 <=0.1.7) +320 more potentially affected by CVE-2026-40087 via langchain-core (>=1.0.0a8 <=1.2.24)

langchain-core PYPI version =1.0.0a8, =0.0.2, =0.1.0, =0.1.0, =0.1.1 - ai-benchmark-analyzer =2025.12.21193050 - ai-claim-essence =2025.12.20202921 - ai-design-insights =2025.12.21145447 - ai-mysql-translator =2025.12.21101721 - ai-reliability-analyzer =2025.12.21171415 - ai-risk-extractor...

article-extractor (=0.5.8) potentially affected by unknown CVE via justhtml (=1.13.0)

justhtml PYPI version =1.13.0 is affected by a known vulnerability. The following packages have a transitive dependency on justhtml and may be impacted: - article-extractor =0.5.8 Source cves: unknown CVE Source advisory: SNYK:PYTHON-JUSTHTML-15928878...

article-extractor (=0.5.8) potentially affected by unknown CVE via justhtml (=1.13.0)

justhtml PYPI version =1.13.0 is affected by a known vulnerability. The following packages have a transitive dependency on justhtml and may be impacted: - article-extractor =0.5.8 Source cves: unknown CVE Source advisory: OSV:GHSA-R758-8HXW-4845...

CVE-2026-5470

A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-extractor.service.ts of the component Model Context Protoc...

ShieldNet: Network-Level Guardrails against Emerging Supply-Chain Injections in Agentic Systems

Existing research on LLM agent security mainly focuses on prompt injection and unsafe input/output behaviors. However, as agents increasingly rely on third-party tools and MCP servers, a new class of supply-chain threats has emerged, where malicious behaviors are embedded in seemingly benign tool...

Malicious code in photo-extractor (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 67f3f604528f125e85fb7be00bb17d7cf2abc5cdb20a12cbcbb38633f5877f14 Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files...

EUVD-2026-18798

A security vulnerability has been detected in mixelpixx Google-Research-MCP 1e062d7bd887bfe5f6e582b6cc288bb897b35cf2/ca613b736ab787bc926932f59cddc69457185a83. This issue affects the function extractContent of the file src/services/content-extractor.service.ts of the component Model Context Protoc...