LangGraph SDK has unsafe URL path construction

Summary langgraph-sdk constructs HTTP request paths for resource operations by interpolating caller-supplied identifier values into URL templates. Without sanitization of those values, identifiers that contain characters with special meaning in URL paths could cause the resulting request to addre...

CVE-2026-9799

Affects Keycloak’s authorization component (org.keycloak.authorization). The vulnerability allows an authenticated user with a granted UMA permission ticket for one resource to bypass per-resource access control by using a specific permission request prefix, granting access to all resources of th...

CVE-2026-9799

A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access UMA permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to...

CVE-2026-12635 Reliance on Reverse DNS Resolution for a Security-Critical Action in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with maintainer-role permissions to make requests to internal network resources through...

Improper Access Control

LangGraph Python SDK is vulnerable to Improper Access Control. The vulnerability is due to unsafe URL path construction using unsanitized user-supplied identifiers, where special characters in identifier values can alter the intended request path and target unintended resources, allowing attacker...

CVE-2026-48776

LangGraph Python SDK is used to connect to running LangGraph API servers, manage assistants, threads and stream runs from Python applications. Versions 0.3.14 and prior have unsafe URL path construction through unsanitized caller-supplied identifier values used in HTTP request paths for resource...

CVE-2026-47635

Access of resource using incompatible type 'type confusion' in Microsoft Office allows an unauthorized attacker to execute code locally...

CVE-2026-45458

Access of resource using incompatible type 'type confusion' in Microsoft Office allows an unauthorized attacker to execute code locally...

EUVD-2026-35669

Access of resource using incompatible type 'type confusion' in Microsoft Office allows an unauthorized attacker to execute code locally...

CVE-2026-45456

CVE-2026-45456 affects Microsoft Office apps (notably Outlook and Word) and is caused by a resource access type confusion that can lead to local code execution. The vulnerability allows an authenticated, local attacker to run arbitrary code without user interaction, with high impact on confidenti...

PT-2026-47945

Name of the Vulnerable Software and Affected Versions Microsoft Office affected versions not specified Description A type confusion issue occurs when a resource is accessed using an incompatible type. This allows an unauthorized attacker to execute code locally within Microsoft Outlook and Word...

PT-2026-47943

Name of the Vulnerable Software and Affected Versions Microsoft Office affected versions not specified Description A type confusion issue occurs when a resource is accessed using an incompatible type. This allows an unauthorized attacker to execute arbitrary code locally or remotely, potentially...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Authentication Bypass by Alternate Name CVE-2025-14777

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2025-14777 DESCRIPTION: A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization...

Important: nvidia-xconfig

Issue Overview: NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel driver, where a user could cause an incorrect permission assignment for a critical resource. A successful exploit of this vulnerability might lead to data tampering and denial of service...

CVE-2026-42855

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 computes the authentication hash using the URI field from the client's Authorization header,...

CVE-2026-9808

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...

PT-2026-44821

An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints utilizing API Platform. Under certain conditions, roles configured with owner-scope restrictions such as viewown or editown are not properly enforced. This allows low-privilege authenticated API users to bypass...

Server-side Request Forgery (SSRF)

Overview kibana is an open source Apache Licensed, browser-based analytics and search dashboard for Elasticsearch. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the connector management. An attacker can access internal network resources by bypassing...

CVE-2026-9689

CVE-2026-9689 affects Keycloak, an open-source identity and access management solution. The issue lies in the OIDC redirect URI handling when a client accepts broad redirect URIs, enabling an attacker to craft a special web address that could cause the client to prefer attacker-controlled informa...

CVE-2026-24190

NVIDIA Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer, where a user could cause improper access to GPU resources. A successful exploit of this vulnerability might lead to denial of service, escalation of privileges, information disclosure, data tampering, a...