praisonai-platform: list_issue_activity returns activity log for any issue regardless of workspace ownership

Summary Type: Insecure Direct Object Reference. The GET /workspaces/workspaceid/issues/issueid/activity endpoint is gated by requireworkspacememberworkspaceid and dispatches to ActivityService.listforissueissueid, which executes SELECT FROM activity WHERE issueid = :issueid with no workspace...

CVE-2026-35397 jupyter-server path traversal allows access to sibling directories sharing root_dir name prefix

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured rootdir and access sibling directories whose names begin with the same prefix as the rootdir. For exampl...

CVE-2026-32695

Summary: CVE-2026-32695 affects Traefik with Knative provider. Prior to versions 3.6.11 and 3.7.0-ea.2, routers were built by interpolating user-controlled values into backtick-delimited rule expressions without escaping, enabling rule-syntax injection and host/header manipulation. In live multi-...

CVE-2026-33484

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

EUVD-2025-208848

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of tarfile.extractall without path validation enables crafted tar.gz files containing .. or absolute paths to escape the intended extractio...

GHSA-76RV-2R9V-C5M6 zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service

Summary All rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing throttling that degrades service for that entity — and potentially co-located entities in...

Security Bulletin: IBM Cloud Kubernetes Service is affected by Kubernetes Ingress Controller security vulnerabilities (CVE-2026-24513, CVE-2026-1580, CVE-2026-24514, CVE-2026-24512)

Summary IBM Cloud Kubernetes Service is affected by multiple Kubernetes Ingress Controller security vulnerabilities. - A user with access to create or update Ingress objects can use the rules.http.paths.path Ingress field to inject configuration into nginx CVE-2026-24512 - The...

Amazon Linux 2023 : docker (ALAS2023-2025-1213)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1213 advisory. Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld...

EUVD-2025-23166

Malicious code in bioql PyPI...

CVE-2025-54410 Moby's Firewalld reload removes bridge network isolation

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create...

CVE-2025-54410

CVE-2025-54410 affects Moby (Docker Engine, Mirantis Container Runtime, and downstreams). A firewalld-related issue causes Docker to fail to re-create iptables rules that isolate bridge networks when firewalld reloads, allowing containers to reach ports across bridge networks on the same host. Th...

PT-2023-6428

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to 1.9.0 Description A security issue in ingress-nginx allows for arbitrary command execution due to annotation injection. This can be exploited by a remote attacker to execute arbitrary code or elevate privileges...