ImageMagick has a possible heap Use After Free vulnerability in its meta coder

A heap Use After Free vulnerability exists in the meta coder when an allocation fails and a single byte is written to a stale pointer. ==535852==ERROR: AddressSanitizer: heap-use-after-free on address 0x5210000088ff at pc 0x5581bacac14d bp 0x7ffdf667edf0 sp 0x7ffdf667ede0 WRITE of size 1 at...

Use After Free

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Use After Free

Overview Magick.NET-Q16-HDRI-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this...

Use After Free

Overview Magick.NET-Q16-AnyCPU is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

CVE-2026-2301

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicatepost function in includes/api.php using $wpdb-insert directly to the wppostmeta table instead of WordPress's...

CVE-2026-2301

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicatepost function in includes/api.php using $wpdb-insert directly to the wppostmeta table instead of WordPress's...

CVE-2026-2301 Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicatepost function in includes/api.php using $wpdb-insert directly to the wppostmeta table instead of WordPress's...

CVE-2026-2301

CVE-2026-2301 (Post Duplicator, WordPress): Wordfence and related sources confirm a protected post meta insertion vulnerability in Post Duplicator

CVE-2026-2301 Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicatepost function in includes/api.php using $wpdb-insert directly to the wppostmeta table instead of WordPress's...

karakeep 跨站脚本漏洞

Karakeep is an open-source bookmarking app developed by Karakeep App. Version 0.30.0 of Karakeep contains a cross-site scripting vulnerability. This vulnerability arises from the Reddit meta-fetching plugin not using DOMPurify to clean HTML content, allowing malicious HTML to be executed in users...

PT-2026-21893

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the duplicate post function in includes/api.php using $wpdb-insert directly to the wp postmeta table instead of WordPress's...

A week in security (February 16 &#8211; February 22)

Last week on Malwarebytes Labs: Age verification vendor Persona left frontend exposed, researchers say Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets AI-generated passwords are a security risk Intimate products maker Tenga spilled customer data Meta patents ...

Directory Traversal

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Directory Traversal via the 'findrunroot function in the FileStore...

Meta patents AI that could keep you posting from beyond the grave

Tech bros have been wanting to become immortal for years. Until they get there, their fallback might be continuing to post nonsense on social media from the afterlife. On December 30, 2025, Meta was granted US patent 12513102B2: Simulation of a user of a social networking system using a language...

WordPress Image Hotspot by DevVN plugin <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Custom Field Meta vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Image Hotspot by DevVN versions = 1.2.9...

Trojan Horses in Recruiting: A Red-Teaming Case Study on Indirect Prompt Injection in Standard Vs. Reasoning Models

As Large Language Models LLMs are increasingly integrated into automated decision-making pipelines, specifically within Human Resources HR, the security implications of Indirect Prompt Injection IPI become critical. While a prevailing hypothesis posits that "Reasoning" or "Chain-of-Thought" Model...

WordPress Video Share VOD plugin <= 2.7.11 - Authenticated (Editor+) Stored Cross-Site Scripting via Custom Field Meta Values vulnerability

Authenticated Editor+ Stored Cross-Site Scripting via Custom Field Meta Values vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin Video Share VOD versions = 2.7.11...

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE

A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If...

ROS-20260216-73-0001

A vulnerability in the hasmetacommands function of the pgAdmin 4 database management tool is related to incorrect code generation control. Exploitation of the vulnerability could allow a remote attacker to bypass existing security mechanisms by injecting a specially generated SQL file...

Ring Kills Flock Safety Deal After Super Bowl Ad Uproar

Plus: Meta plans to add face recognition to its smart glasses, Jared Kushner named as part of whistleblower’s mysterious national security complaint, and more...