CVE-2026-44219

CVE-2026-44219 affects the ciguard static security auditor. The two SCA HTTP clients (osv.py and endoflife.py) call payload = json.loads(resp.read().decode('utf-8')) without a maximum bytes cap, allowing a hostile or compromised endoflife.date / OSV.dev (or a TLS MITM) to return multi-GB response...

EUVD-2025-209796

An issue in Open Source Kubectl MCP Server v1.1.1 allows attackers to execute arbitrary code on a victim system via user interaction with a crafted HTML page...

PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded

RubyGems , the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for...

Security Bulletin: Content Manager Enterprise Edition for June 2026 - Multiple CVEs

Summary Content Manager Enterprise Edition is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-342...

MAL-2026-3589 Malicious code in nextmove-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware df7f916a0e0b35995c3bb3ad68e6686d75a52472172d505eee44bf060e54c105 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

[SECURITY] Fedora 43 Update: chromium-148.0.7778.96-1.fc43

Chromium is an open-source web browser, powered by WebKit Blink...

[SECURITY] Fedora 44 Update: firefox-150.0.1-1.fc44

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability...

CTFusion: A CTF-Based Benchmark for LLM Agent Evaluation

Recent advances in Large Language Models LLMs have enabled agentic systems for complex, multi-step tasks; cybersecurity is emerging as a prominent application. To evaluate such agents, researchers widely adopt Capture The Flag CTF benchmarks. However, current CTF benchmarks reuse existing...

superduper 安全漏洞

Superduper is an open-source database integration AI proxy and application building tool developed by superduper.io. Versions of Superduper prior to v0.10.0 contained security vulnerabilities. These vulnerabilities stemmed from the Parseoppart function in the query parsing component, which used t...

Pocket ID 授权问题漏洞

Pocket ID is an open-source OIDC identity provider that supports no-password authentication. Versions of Pocket ID prior to 2.6.0 had an authorization vulnerability. This vulnerability stemmed from the createTokenFromRefreshToken function not revalidating the user’s current authorization status,...

lemur 注入漏洞

Lemur is an open-source TLS certificate management tool developed by Netflix, Inc. Versions of Lemur prior to 1.9.0 contained a injection vulnerability. This vulnerability stemmed from the LDAP authentication module using uncleaned user input to construct LDAP search filters, which could lead to...

Syft 安全漏洞

Syft is an open-source remote data analysis tool developed by OpenMined, designed for protecting data privacy. Versions of Syft 0.9.5 and earlier contained security vulnerabilities. These vulnerabilities stemmed from inadequate validation of Python code submitted by users and insufficient sandbox...

APSB26-49 : Security update available for Adobe Commerce

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system write, application denial-of-service, and security feature...

IPI-Proxy: An Intercepting Proxy for Red-Teaming Web-Browsing AI Agents against Indirect Prompt Injection

Web-browsing AI agents are increasingly deployed in enterprise settings under strict whitelists of approved domains, yet adversaries can still influence them by embedding hidden instructions in the HTML pages those domains serve. Existing red-teaming resources fall short of this scenario:...

PT-2026-40426

Name of the Vulnerable Software and Affected Versions pyLoad affected versions not specified Description An authenticated attacker with administrative privileges can achieve account takeover by stealing session files of other users. The issue arises because the software fails to block the storage...

PT-2026-40469

Name of the Vulnerable Software and Affected Versions Warpgate versions prior to 0.23.3 Description The SSO flow fails to validate the state parameter. This allows an attacker to trick a user into logging into an account controlled by the attacker, which could lead the user to perform sensitive...

CVE-2025-65719

Affected software: Open Source Kubectl MCP Server v1.1.1. Issue: A vulnerability allows attackers to execute arbitrary code on a victim system via a crafted HTML page. What is known: Documented across multiple sources (NVD, EUVD, CVE listing) with the same description. No explicit root cause, aff...

PT-2026-40468

Name of the Vulnerable Software and Affected Versions Flowsint versions prior to 1.2.3 Description Flowsint is an open-source OSINT graph exploration tool used for cybersecurity investigation, transparency, and verification. A broken access control issue allows an adversary who knows an...

ROS-20260512-73-0005

A vulnerability in the ngxhttpdavmodule module of the NGINX Plus and NGINX Open Source HTTP server is related to a buffer overflow in dynamic memory. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...