Bert-VITS2 路径遍历漏洞

Bert-VITS2 is a core text-to-speech model developed by Fish Audio. Bert-VITS2 has a path traversal vulnerability, which stems from the getallmodels function in the hiyoriUI.py file within the Model Handler component. Attackers could potentially exploit this vulnerability remotely...

CVE-2026-45036 Tabby auto-confirms ZMODEM detection on terminal output, leading to shell command execution from displayed file content under fish, bash, and zsh

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

CVE-2026-45036 Tabby auto-confirms ZMODEM detection on terminal output, leading to shell command execution from displayed file content under fish, bash, and zsh

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

PT-2026-41321

Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command execution when a user displays attacker-controlled content. T...

CVE-2026-7042

A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function createapp of the file backend/app/init.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published a...

GHSA-CQ8V-F236-94QC vulnerabilities

Vulnerabilities for packages: xh, fish, samply, uv, buck2, linkerd2-proxy, zellij, rav1e, uutils, kdash, lychee, shadowsocks-rust, wasmtime, zola, yara-x, atuin, zed, yazi, linkerd-network-validator, berg, efs-utils, pgcat, mountpoint-s3, just, wasmcloud, cargo-c, starship, hurl, ntpd-rs, pixi,...

GHSA-CQ8V-F236-94QC vulnerabilities

Vulnerabilities for packages: sccache, zellij, samply, uv, rye, berg, ruff, sqlx, linkerd2, rav1e, cargo-c, efs-utils, linkerd2-proxy, guestproxyagent, asciinema, linkerd-network-validator, lychee, shadowsocks-rust, wasmtime, ntpd-rs, xh, komodo, yazi, rustup, chaos-tproxy, wasmcloud, fnm, zola,...

Friday Squid Blogging: Jurassic Fish Chokes on Squid

Here's a fossil of a 150-million year old fish that choked to death on a belemnite rostrum : the hard, internal shell of an extinct, squid-like animal. Original paper. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Blog moderation...

ROOT-OS-ALPINE-318-CVE-2023-49284 CVE-2023-49284 in rootio-fish - Patched by Root

Root has patched CVE-2023-49284 in the rootio-fish package for Root:Alpine:3.18. Multiple fixed versions available...

ROOT-OS-ALPINE-317-CVE-2023-49284 CVE-2023-49284 in rootio-fish - Patched by Root

Root has patched CVE-2023-49284 in the rootio-fish package for Root:Alpine:3.17. Multiple fixed versions available...

CVE-2025-67508

gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft...

CVE-2025-67508

CVE-2025-67508 affects gardenctl-v2 (gardenctl) ≤ 2.11.0. When used with non-POSIX shells (e.g., Fish, PowerShell), an attacker with administrative Gardener project privileges can craft malicious credential values that cause infrastructure Secret objects to break out of string context, enabling c...

PT-2025-50882

gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the evaluation of credential values in non-POSIX shell environments. An attacker can execute arbitrary commands on the operator's device by crafting malicious credential values in infrastructure Secret...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the evaluation of credential values in non-POSIX shell environments. An attacker can execute arbitrary commands on the operator's device by crafting malicious credential values in infrastructure Secret...

gardenctl is vulnerable to Command Injection when used with non‑POSIX shells

A security vulnerability was discovered in gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of...

EUVD-2025-117416

Malicious code in electronic-indigo-fish npm...

EUVD-2025-117478

Malicious code in communist-purple-fish npm...

EUVD-2025-117168

Malicious code in planned-turquoise-fish npm...

EUVD-2025-94307

Malicious code in viciousfishz3n npm...