CVE-2026-44928

CVE-2026-44928 affects uriparser prior to 1.0.2. The EqualsUri function can misclassify two unequal URIs as equal, per EUVD-2026-28537 and PT-2026-38682. A remediation is to update to version 1.0.2 or later; PT-2026-38682 also recommends restricting EqualsUri usage as a temporary workaround. No e...

CVE-2026-43940

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget...

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the MilvusVectorStoredoDeleteList implementation. An attacker can inject filter expressions by supplying crafted document IDs that are not properly sanitized before bei...

PT-2026-38646

Name of the Vulnerable Software and Affected Versions electerm versions prior to 3.7.16 Description The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user-supplied widget identifiers without sanitization. Since runWidget is exposed to the...

Ntemplatesbyxit

CVE Nuclei Templates Collection Author: Xit Exploiter --...

hfs: Replace BUG_ON with error handling for CNID count checks

...

EUVD-2026-28261

NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.39, the queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using...

SUSE CVE-2026-43113

In the Linux kernel, the following vulnerability has been resolved: wifi: wl1251: validate packet IDs before indexing txframes wl1251txpacketcb uses the firmware completion ID directly to index the fixed 16-entry wl-txframes array. The ID is a raw u8 from the completion block, and the callback do...

Debian dsa-6249 : libwireshark-data - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6249 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6249-1 [email protected] https://www.debian.org/securit...

From Specification to Deployment: Empirical Evidence from a W3C VC + DID Trust Infrastructure for Autonomous Agents

Autonomous AI agents now transact at production scale -- 69,000 bots executing 165 million transactions across 50 million USDC in cumulative volume on a single marketplace -- without any shared trust layer between participants. Regulatory frameworks Singapore IMDA, NIST CAISI, EU AI Act and major...

Photon OS 5.0: Dotnet PHSA-2026-5.0-0842

An update of the dotnet package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2026-5.0-0842. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Summary SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these...

GHSA-XWQR-RCQG-22MR Flight vulnerable to SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Summary SimplePdo::insert, SimplePdo::update, and SimplePdo::delete build SQL statements by concatenating the $table argument and the keys of the $data array directly into the query, with no identifier quoting and no validation. When an application forwards user-controlled data shapes to these...

CVE-2026-44110 OpenClaw < 2026.4.15 - Authorization Bypass in Matrix Room Control Commands via DM Pairing Store

OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without being in configured allowlists by posting in bot rooms,...

Missing Authorization

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Missing Authorization via the actionShowInFolder process. An attacker can access sensitive asset filenames and complete folder structures, including volume handles and URIs, by supplying...

CVE-2026-29080

CVE-2026-29080 describes an SQL injection in Rucio’s FilterEngine for Oracle JSON Path via the DID search API. In Oracle deployments using the default json_meta plugin, create_sqla_query() interpolates attacker-controlled key and value directly into sqlalchemy.text() via Python .format(), bypassi...

CVE-2026-7875 NanoClaw Host/Container Filesystem Boundary Vulnerability via Outbound Attachment Handling

NanoClaw version 1.2.0 and prior contains a host/container filesystem boundary vulnerability in outbound attachment handling and outbox cleanup that allows a compromised or prompt-injected container to read files outside the intended outbox directory by supplying crafted messagesout.id and...

Privilege Escalation

github.com/grafana/grafana is vulnerable to privilege escalation. The vulnerability is due to inadequate validation of the SCIM externalId field, which allows a malicious or compromised SCIM client to assign numeric values that override internal user IDs, enabling attackers to impersonate users o...

CVE-2026-43113

A flaw was found in the wl1251 Wi-Fi driver within the Linux kernel. The wl1251txpacketcb function processes firmware completion IDs without proper validation, allowing an attacker to use a crafted ID to access memory outside of allocated bounds. This out-of-bounds access could lead to memory...

CVE-2026-8027

Technical details for CVE-2026-8027 are not publicly available in the provided documents. Monitor for updates.