710 matches found
PT-2026-53221
Name of the Vulnerable Software and Affected Versions Delta Electronics DTM Soft affected versions not specified Description The software is susceptible to the deserialization of untrusted data, which can allow an attacker to execute arbitrary code. Real-world exploitation has been observed where...
Security Bulletin: Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass
Summary An improper authorization vulnerability in Streamable MCP transport endpoint /api/v1/mcp/project/projectid/streamable allows unauthenticated attackers to bypass project ownership controls and execute Model Context Protocol MCP operations against OAuth-authenticated projects owned by other...
Malicious code in express-self-destruct (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0097503a7ecd7b5e3b97213de29b36d5e957a305f7829cc45f43aa5aa3da817 On npm install, the package's postinstall hook node scripts/inject.js walks up from the install directory to locate the consumer's project root and...
National Security Agency Ghidra 代码问题漏洞
National Security Agency Ghidra is a software reverse-engineering framework developed by the National Security Agency NSA. Previous versions of National Security Agency Ghidra, such as version 12.1, had code vulnerabilities. These vulnerabilities stemmed from insecure deserialization in the RMI...
PT-2026-46111
Name of the Vulnerable Software and Affected Versions SP Project & Document Manager versions prior to 4.72 Description Unauthorized access is possible due to a missing capability check in the view file function. Unauthenticated attackers can read file metadata and obtain download links for...
Missing Authorization
Overview @vitest/ui is an UI for Vitest Affected versions of this package are vulnerable to Missing Authorization through the api and browser.api request handlers in the server and UI components. An attacker can run tests, modify project files, or overwrite snapshots by connecting to an exposed...
CVE-2026-45539 Microsoft APM: Symlinks under `.apm/prompts/` and `.apm/agents/` are dereferenced during `apm install`, copying host-local file contents into the project tree
Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files with bare Path.glob / Path.rglob calls and read each match with Path.readtext, transparently following symbolic links. A symlink...
GHSA-72W5-PF8H-XFP4 DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
Summary The taskcreate tool spawns durable sub-agents that inherit two insecure defaults: - allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue - autoapprove defaults to true taskmanager.rs:297: autoapprove: Sometrue When a user approves a taskcreate call which requires...
Linux Distros Unpatched Vulnerability : CVE-2026-44301
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node- based asset pipelines PostCSS, Babel, TailwindCSS, Hugo...
CVE-2026-44301
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines PostCSS, Babel, TailwindCSS, Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could...
EUVD-2026-28946
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used...
DEBIAN-CVE-2026-45184
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used...
CVE-2026-45184
Kdenlive has a vulnerability in versions prior to 26.04.1 where dangerous proxy parameters can be introduced via an attacker-controlled project file. The issue affects handling of proxies within the project file, with potential impacts to confidentiality and integrity (per CVSS: LOCAL, HIGH impac...
CVE-2026-45184
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used...
CVE-2026-45184
Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used...
Kdenlive 安全漏洞
Kdenlive is a video editing software from the Kdenlive organization that supports multi-track editing with rich effects processing. A security vulnerability exists in Kdenlive versions prior to 26.04.1 that stems from allowing dangerous proxy parameters when using an attacker-controlled project...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the make:controller process. An attacker can create arbitrary directories outside the intended project root by supplying crafted input containing directory traversal sequences. Details A Directory Traversal attac...
JetBrains Junie 安全漏洞
JetBrains Junie is a coding proxy provided by the Czech company JetBrains. Versions of JetBrains Junie prior to 252.549.29 contained security vulnerabilities, which were due to the possibility of executing commands through malicious project files...
Labcenter Electronics Proteus 缓冲区错误漏洞
Labcenter Electronics Proteus is an electronic engineering software developed by the British company Labcenter, used for circuit design and embedded system simulation. Labcenter Electronics Proteus has a buffer error vulnerability, which stems from insufficient validation of the data provided to...
Labcenter Electronics Proteus 安全漏洞
Labcenter Electronics Proteus is an electronic engineering software developed by the British company Labcenter, used for circuit design and embedded system simulation. Labcenter Electronics Proteus has a security vulnerability that stems from the lack of proper validation of the data provided to...