Linux Distros Unpatched Vulnerability : CVE-2026-35379

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the :graph: and :print: character classes. The implementation...

PT-2026-34515

A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the :graph: and :print: character classes. The implementation mistakenly includes the ASCII space character 0x20 in the :graph: class and excludes it from the :print: class, effectively reversing the...

Synthesizing Multi-Agent Harnesses for Vulnerability Discovery

LLM agents have begun to find real security vulnerabilities that human auditors and automated fuzzers missed for decades, in source-available targets where the analyst can build and instrument the code. In practice the work is split among several agents, wired together by a harness: the program...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-013514)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013514 advisory. In the Linux kernel, the following vulnerability has been resolved: coresight: Fix memory leak in acpibuffer-pointer There are memory leaks reported by kmemleak:...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013822)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013822 advisory. In the Linux kernel, the following vulnerability has been resolved: ASoC: audio-graph-card: fix refcount leak of cpuep in graphforeachlink The ofgetnextchild returns...

EUVD-2026-24569

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

CVE-2026-40520 FreePBX api module Command Injection via GraphQL

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-40520 FreePBX api module Command Injection via GraphQL

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-40520

CVE-2026-40520 concerns the FreePBX API module (version 17.0.8 and earlier). The root cause is that the function initiateGqlAPIProcess() forwards GraphQL mutation input fields directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can issue a Gr...

Mapping Your API Ecosystem: Wiz Expands API Discovery with Apigee

See your full Apigee architecture on the Wiz Security Graph, from API gateways and environments to every endpoint and its authorization scheme...

WordPress WPGraphQL plugin < 2.11.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin WPGraphQL versions 2.11.1...

FreePBX api 操作系统命令注入漏洞

FreePBX API is an open-source plugin developed by FreePBX. Versions of the FreePBX API module prior to 17.0.8 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the GraphQL mutation input fields in the initiateGqlAPIProcess function being pass...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-011180)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-011180 advisory. In the Linux kernel, the following vulnerability has been resolved: ASoC: audio-graph-card: fix refcount leak of cpuep in graphforeachlink The ofgetnextchild returns...

API Security Based on Automatic OpenAPI Mapping

This paper presents Map Reduce Graph MRG, a novel unsupervised method for modeling and securing HTTP REST APIs. MRG learns API structure from real-world traffic without prior knowledge or labels, automatically generating OpenAPI-compliant documentation by reconstructing routes, methods, and...

CVE-2026-32311 Command Injection and Docker container escape allows root on host machine

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and...

API Security Testing and Vulnerability Assessment

APIs now carry more sensitive data than traditional web interfaces. Payment details, health records, authentication tokens, and customer databases all flow through API endpoints that attackers can probe without ever touching a browser. A single misconfigured endpoint can expose millions of record...

Wiz and Databricks: Adding Databricks to the Wiz Security Graph

Extending Wiz Visibility with the Databricks Data & AI Platform...

PT-2026-33831

Name of the Vulnerable Software and Affected Versions Flowsint affected versions not specified Description Flowsint is an open-source OSINT graph exploration tool used for cybersecurity investigation, transparency, and verification. A remote attacker can create a sketch and trigger the org to asn...

CVE-2026-40476

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs On² pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU...

CVE-2026-40476 graphql-php: Denial of Service via quadratic complexity in OverlappingFieldsCanBeMerged validation

graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs On² pairwise comparisons of fields sharing the same response name. An attacker can send a query with thousands of repeated identical fields, causing excessive CPU...