PT-2026-28369

Name of the Vulnerable Software and Affected Versions: Grafana versions 11.6.0 through 11.6.14, 12.0.0 through 12.1.10, 12.2.0 through 12.2.8, 12.3.0 through 12.3.6, and 12.4.0 through 12.4.2. Description: A chained attack involving SQL Expressions and a Grafana Enterprise plugin can lead to remo...

n8n 代码注入漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 2.14.1, 2.13.3, and 1.123.26 contained a code injection vulnerability. This vulnerability stemmed from insufficient SQL pattern restrictions in the Merge node, which could lead to remote code...

CVE-2026-33334

Summary (CVE-2026-33334): Vikunja Desktop Electron wrapper prior to 2.2.0 enables nodeIntegration in the renderer without contextIsolation or sandbox, turning any web frontend XSS into full remote code execution on the victim’s machine. Affected range: Vikunja 0.21.0 through 2.1.x (up to

CVE-2026-4738 GDAL Bundled zlib (inftree9.c) Pointer Offset Optimization Undefined Behavior Allows Heap Corruption or Remote Code Execution

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in OSGeo gdal frmts/zlib/contrib/infback9 modules. This vulnerability is associated with program files inftree9.C‎. This issue affects gdal: before 3.11.0...

Moderate: Red Hat Security Advisory: 389-ds:1.4 security update

An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

EUVD-2026-14684

Use after free in WebGPU in Google Chrome prior to 146.0.7680.165 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-30661

iCMS v8.0.0 contains a Cross-Site Scripting XSS vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters...

CVE-2026-30661

iCMS v8.0.0 contains a Cross-Site Scripting XSS vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters...

CVE-2026-4611 TOTOLINK X6000R shttpd setLanCfg privilege escalation

A flaw has been found in TOTOLINK X6000R 9.4.0cu.1360B20241207/9.4.0cu.1498B20250826. Affected by this issue is the function setLanCfg of the file /usr/sbin/shttpd. Executing a manipulation of the argument Hostname can lead to os command injection. The attack may be launched remotely...

gimp: GIMP: Remote Code Execution via uninitialized memory in PGM file parsing

A flaw was found in GIMP. This uninitialized memory vulnerability allows a remote attacker to execute arbitrary code on affected installations. Successful exploitation requires user interaction, where the target must open a specially crafted PGM Portable Graymap image file. This can lead to...

CVE-2026-32968

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the commb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383...

CVE-2026-32968 Unauthenticated RCE in com_mb24sysapi

Due to the improper neutralisation of special elements used in an OS command, an unauthenticated remote attacker can exploit an RCE vulnerability in the commb24sysapi module, resulting in full system compromise. This vulnerability is a variant attack for CVE-2020-10383...

Advisory ROSA-SA-2026-3254

software: coturn 4.5.2 OS: ROSA-CHROME unaffected versions = coturn-4.5.2-6 affected versions coturn-4.5.2-6 CVE-ID: CVE-2026-27624 BDU-ID: None CVE-Crit: HIGH CVE-DESC.: A vulnerability in Coturn allows a remote attacker to bypass loopback and internal IP range locking denied-peer-ip option and...

CISA Flags Apple, Craft CMS, Laravel Bugs in KEV, Orders Patching by April 3, 2026

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added five security flaws impacting Apple, Craft CMS, and Laravel Livewire to its Known Exploited Vulnerabilities KEV catalog, urging federal agencies to patch them by April 3, 2026. The vulnerabilities that have come under...

MetaGPT 代码注入漏洞

MetaGPT is a multi-agent framework developed by MetaGPT Inc. Versions of MetaGPT 0.8.1 and earlier contained a code injection vulnerability. This vulnerability stemmed from a code injection flaw in the code generate function located in the file metagpt/ext/aflow/scripts/operator.py. It could...

Vanna SQL注入漏洞

Vanna is a personalized AI SQL proxy from the Vanna company. Versions of Vanna 2.0.2 and earlier had a SQL injection vulnerability. This vulnerability stemmed from the ask function in the vannalegacyasease.py file, which allowed for SQL injection attacks, potentially enabling remote execution of...

CVE-2026-22897

A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later...

CVE-2026-4442

Heap buffer overflow in CSS in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

EUVD-2026-13207

Improper neutralization of special elements used in a command 'command injection' in Microsoft Bing Images allows an unauthorized attacker to execute code over a network...

CVE-2026-29102 SuiteCRM has Authenticated RCE in Modules

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution RCE vulnerability exists in SuiteCRM modules. Versions 7.15.1 and 8.9.3 patch the issue...