CVE-2026-39817 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

GHSA-5M4P-2GJX-P2G8 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

CVE-2026-42501 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

CVE-2026-39819 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

CVE-2026-39836 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

GHSA-QF3Q-3H68-MMH2 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, xeol-fips, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, cadence,...

CVE-2026-33814 vulnerabilities

Vulnerabilities for packages: crossplane-provider-aws-firehose-fips, thanos-receive-controller, rabbitmq-messaging-topology-operator-fips, volcano, xeol-fips, step-kms-plugin, crossplane-provider-aws-opensearchserverless-fips, agentbeat-fips, longhorn-manager-fips, cilium-certgen, karma,...

Pillow 安全漏洞

Pillow is an open-source image processing library developed by Pillow. Versions of Pillow from 4.2.0 to 12.2.0 contained security vulnerabilities. These vulnerabilities were due to malicious PDFs, which could cause processes to hang indefinitely, consume 100% of the CPU resources, and render the...

CVE-2026-43433

A flaw was found in the Linux kernel's rustbinder component. If a local process gains the ability to write to its own virtual memory area VMA, it could exploit a time-of-check to time-of-use TOCTOU vulnerability. This allows the process to alter the offsets array during a transaction before it is...

Deserialization of Untrusted Data

Overview langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the load process. An attacker can instantiate trusted classes with untrusted constructor arguments by submitting specially...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization through the POST /upi/v1/upNodesLinks handler, which processes attacker-controlled JSON input without authentication or authorization checks. An attacker can terminate the entire process by submitting a crafted...

CVE-2026-43411

A flaw was found in the Linux kernel's TIPC Transparent Inter-Process Communication protocol. A local user can trigger a divide-by-zero error by setting a specific connection timeout value. This can lead to a kernel panic, effectively causing a Denial of Service DoS on the affected system...

Arbitrary File Upload

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Arbitrary File Upload via the storedoc process. An attacker can write arbitrary files to locations outside the intended upload directory by supplying crafted filenames containing path traversal sequences in t...

CVE-2026-42352

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...

CVE-2026-42352 pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber

pygeoapi is a Python server implementation of the OGC API suite of standards. From version 0.23.0 to before version 0.23.3, OGC API process execution requests can use the subscriber object to requests to internal HTTP services. This issue has been patched in version 0.23.3...

NPM: Electerm's full process.env exposed to renderer via window.pre.env

NPM: Electerm's full process.env exposed to renderer via window.pre.env vulnerability discovered by ? in WordPress Npm electerm versions = 3.8.15...

Cleartext Storage of Sensitive Information

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the getConstants process, which serializes the entire process.env object and exposes it to the renderer context as...

EUVD-2026-28514

Electerm's full process.env exposed to renderer via window.pre.env...

Electerm's full process.env exposed to renderer via window.pre.env

Impact The getConstants IPC handler in src/app/lib/ipc-sync.js serialises the entire process.env object and sends it to the renderer. The data is stored as window.pre.env and is accessible from any JavaScript running in the renderer e.g., via the DevTools console or a compromised webview context...

Unsafe Dependency Resolution

Overview electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the runWidget function. An attacker can achieve arbitrary code execution by supplying crafted input that exploits path traversal to...