Vulnerabilities fixed in Cisco IOS XR

Cisco has fixed vulnerabilities in Cisco IOS XR Software. The vulnerabilities are in the command-line interface CLI of Cisco IOS XR, which allows authenticated local attackers to execute arbitrary root-level commands or obtain full administrative privileges. In addition, there is a problem with t...

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week...

DEBIAN-CVE-2026-4015

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

CVE-2026-4015

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

CVE-2026-4016

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svginprocess of the file src/filters/loadsvg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has...

CVE-2026-4016 GPAC SVG Parser load_svg.c svgin_process out-of-bounds write

A security vulnerability has been detected in GPAC 26.03-DEV. Affected by this vulnerability is the function svginprocess of the file src/filters/loadsvg.c of the component SVG Parser. The manipulation leads to out-of-bounds write. Local access is required to approach this attack. The exploit has...

CVE-2026-4016

CVE-2026-4016 affects GPAC 26.03-DEV; the vulnerability is in svgin_process within src/filters/load_svg.c of the SVG Parser, causing an out-of-bounds write. Local access is required, and the exploit has been publicly disclosed. The patch identifier is 7618d7206cdeb3c28961dc97ab0ecabaff0c8af2, wit...

CVE-2026-4015

CVE-2026-4015 affects GPAC 26.03-DEV, specifically the TeXML File Parser component (src/filters/load_text.c, function txtin_process_texml). A manipulation can trigger a stack-based buffer overflow, with local attack vector and public proof-of-concept exploit; impact is partial confidentiality, in...

CVE-2026-4015

A weakness has been identified in GPAC 26.03-DEV. Affected is the function txtinprocesstexml of the file src/filters/loadtext.c of the component TeXML File Parser. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit...

EUVD-2026-11492

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

CVE-2026-3967 Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

CVE-2026-3967

Alfresco Activiti up to versions 7.19/8.8.0 is affected by a deserialization flaw in the function deserialize/createObjectInputStream of activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java within the Process Variable Serialization System. This leads...

CVE-2026-3967

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

CVE-2026-3967 Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

PT-2026-25071

Summary A command injection vulnerability exists in Deno's node:child process polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno'...

PT-2026-24898

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

OpenClaw PRISM: A Zero-Fork, Defense-In-Depth Runtime Security Layer for Tool-Augmented LLM Agents

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer...

Deno 操作系统命令注入漏洞

Deno is a simple, modern, and secure JavaScript and TypeScript runtime environment developed by Deno itself. Version 2.7.0 to 2.7.1 of Deno contains a vulnerability related to operating system command injection. This vulnerability stems from a command injection issue within the node:childprocess...

PT-2026-29973

Name of the Vulnerable Software and Affected Versions Sudo versions through 1.9.17p2 Description A failure of a setuid, setgid, or setgroups call during a privilege drop before running the mailer is not a fatal error and can lead to privilege escalation. Recommendations Update Sudo to a version...