hackage-server 跨站脚本漏洞

hackage-server is a Haskell open-source package repository server. hackage-server has a cross-site scripting vulnerability, which stems from the direct provision of HTML and JavaScript files. This vulnerability could allow malicious package maintainers to hijack user sessions...

Flowise 信息泄露漏洞

Flowise is a FlowiseAI open source tool for easily building LLM applications. Flowise suffers from an information disclosure vulnerability caused by a flaw in the /api/v1/public-chatflows/:id endpoint that can be exploited by an attacker to obtain sensitive information...

ktransformers 代码问题漏洞

KTransformers is an open-source framework for CPU-GPU heterogeneous large-scale inference and fine-tuning developed by kvcache.ai. Versions of KTransformers 0.5.3 and earlier contained code vulnerabilities. These vulnerabilities stemmed from insecure deserialization in the balanceserve backend...

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, up to 3.1.0, contained a security vulnerability. This vulnerability stemmed from the GraphCypherQAChain node directly passing user inputs into the Cypher query executio...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from a certification rate-limiting bypass vulnerability, which allowed attackers to circumvent shared...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities were caused by a mutation vulnerability in the callback source during Plivo voice call replaying, allowing attackers...

CrossCommitVuln-Bench: A Dataset of Multi-Commit Python Vulnerabilities Invisible to Per-Commit Static Analysis

We present CrossCommitVuln-Bench, a curated benchmark of 15 real-world Python vulnerabilities CVEs in which the exploitable condition was introduced across multiple commits - each individually benign to per-commit static analysis - but collectively critical. We manually annotate each CVE with its...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: nginx (UTSA-2026-014290)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-014290 advisory. NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpdavmodule module that might allow an attacker to trigger a buffer overflow to the NGINX worker...

PT-2026-34633

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change serversettings permission adds or updates a MySQL server via the API,...

PT-2026-34638

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers see all permission. This allows a reseller to attribute newly created...

UBUNTU-CVE-2026-41314

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using /FlateDecode with large size values. This has been fixed in pypdf 6.10.2...

@headspinio/appium-roku-driver (>=2.6.1 <=2.7.0), @natlibfi/passport-melinda-aleph (=3.0.3-alpha.1) +2 more potentially affected by CVE-2026-41674 via @xmldom/xmldom (=0.9.0)

@xmldom/xmldom NPM version =0.9.0 is affected by a known vulnerability. The following packages have a transitive dependency on @xmldom/xmldom and may be impacted: - @headspinio/appium-roku-driver =2.6.1, =3.0.0, =1.7.9-beta.3, =1.8.0-beta.2 Source cves: CVE-2026-41674 Source advisory:...

hickory-server (>=0.24.0 <=0.25.0-alpha.1) potentially affected by unknown CVE via hickory-recursor (>=0.24.4 <=0.25.0-alpha.1)

hickory-recursor CARGO version =0.24.4, =0.24.0, =0.25.0-alpha.1 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0106...

EUVD-2026-24626

Integer overflow in constant tensor data size calculation in Samsung Open Source ONE could cause incorrect buffer sizing for large constant nodes. Affected version is prior to commit 1.30.0...

EUVD-2026-24624

Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation. Affected version is prior to commit 1.30.0...

EUVD-2026-24620

Integer overflow in memory copy size calculation in Samsung Open Source ONE could lead to invalid memory operations with large tensor shapes. Affected version is prior to commit 1.30.0...

EUVD-2026-24618

Integer overflow in output tensor copy size calculation in Samsung Open Source ONE could cause incorrect copy length and memory corruption for oversized tensors. Affected version is prior to commit 1.30.0...

EUVD-2026-24616

Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE. Affected version is prior to commit 1.30.0...

MAL-2026-2986 Malicious code in @bmg-web/bmg-dropdown (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ba8b2c9cb8ff59d283200d129e3ad62a7f469072326443114ebadcda2da4f894 The package @bmg-web/bmg-dropdown was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-40449

Integer overflow in buffer size calculation could result in out of bounds memory access when handling large tensors in Samsung Open Source ONE. Affected version is prior to commit 1.30.0...