PT-2026-25071

Summary A command injection vulnerability exists in Deno's node:child process polyfill shell: true mode that bypasses the fix for CVE-2026-27190 GHSA-hmh4-3xvx-q5hr. An attacker who controls arguments passed to spawnSync or spawn with shell: true can execute arbitrary OS commands, bypassing Deno'...

PT-2026-24898

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization...

OpenClaw PRISM: A Zero-Fork, Defense-In-Depth Runtime Security Layer for Tool-Augmented LLM Agents

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer...

Deno 操作系统命令注入漏洞

Deno is a simple, modern, and secure JavaScript and TypeScript runtime environment developed by Deno itself. Version 2.7.0 to 2.7.1 of Deno contains a vulnerability related to operating system command injection. This vulnerability stems from a command injection issue within the node:childprocess...

PT-2026-29973

Name of the Vulnerable Software and Affected Versions Sudo versions through 1.9.17p2 Description A failure of a setuid, setgid, or setgroups call during a privilege drop before running the mailer is not a fatal error and can lead to privilege escalation. Recommendations Update Sudo to a version...

GPAC 安全漏洞

GPAC is an open-source multimedia framework developed by GPAC. The GPAC 26.03-DEV version contains a security vulnerability, which stems from a stack buffer overflow in the txtinprocesstexml function within the TeXML File Parser component...

Graphql-upload-minimal has a prototype pollution vulnerability.

Overview Version 1.6.1 of the Flash Payments package graphql-upload-minimal is vulnerable to prototype pollution. This vulnerability, located in the processRequest function, allows an attacker to inject special property names into the operations.variables object and pollute global object...

CVE-2026-1717

An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges...

CVE-2026-1717

An input validation vulnerability was reported in the LenovoProductivitySystemAddin used in Lenovo Vantage and Lenovo Baiying that could allow a local authenticated user to terminate arbitrary processes with elevated privileges...

CVE-2026-31960 DoS in Quill via unbounded read of HTTP response body during notarization

Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1 has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires the ability to modify API responses from Apple's notarization service, which is not...

CVE-2018-25159

Epross AVCON6 systems management platform contains an object-graph navigation language OGNL injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OG...

EUVD-2026-11186

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 14.4 before 18.7.6, 18.8 before 18.8.6, and 18.9 before 18.9.2 that could have allowed an authenticated user with group import permissions to create labels in private projects due to improper authorization validation in th...

UBUNTU-CVE-2026-31870

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API httplib::stream::Get, httplib::stream::Post, etc., the library calls std::stoull directly on the Content-Length header value received from the server...

CVE-2026-31870 cpp-httplib Affected by Remote Process Crash via Malformed Content-Length Response Header

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.37.1, when a cpp-httplib client uses the streaming API httplib::stream::Get, httplib::stream::Post, etc., the library calls std::stoull directly on the Content-Length header value received from the server...

CVE-2026-20074

A vulnerability in the Intermediate System-to-Intermediate System IS-IS multi-instance routing feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the IS-IS process to restart unexpectedly. This vulnerability is due to insufficient input validation of ingre...

Malicious code in collectables (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e007c43e26edb912325f1478ec6cd5cd838b5d7e5ae62beedd3baa02638b3dc4 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

CVE-2026-2741

A flaw was found in Vaadin. During the automatic download and extraction of Node.js, a remote attacker could exploit a path traversal vulnerability. By intercepting or controlling the Node.js download, an attacker could serve a specially crafted ZIP archive. This malicious archive would allow fil...

Malicious code in collects (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

MAL-2026-1341 Malicious code in collects (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 fc7f98d0c4c092f4eb4a73240f8c7a5df90717853ee408fefa9eeb09a41d2cae Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

CVE-2026-30887

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...