2 matches found
CVE-2026-59864
Kiota (OpenAPI-based HTTP client code generator) prior to v1.32.5 allowed path traversal/out-of-package file inclusion in generated Microsoft 365 Copilot and Teams plugin manifests through attacker-controlled static_template.file values derived from x-ai-adaptive-card and x-ai-capabilities during...
CVE-2026-28673
xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the standard plugin system allows admins to upload a ZIP file containing a binary and a manifest.json. The server trusts the binaries field in the manifest and execute...