CVE-2026-4093

A flaw was found in the Drupal 7 Term Reference Tree module. This vulnerability, a type of stored Cross-Site Scripting XSS, allows an authenticated attacker with permissions to edit or create taxonomy terms to inject malicious scripts. These scripts can execute when a user views a form containing...

EUVD-2026-31377

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A token display templates: When the Token module is enabled and token display templates are configured, attacker-controlled token output e.g., term description is rendered...

CVE-2026-4093

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A token display templates: When the Token module is enabled and token display templates are configured, attacker-controlled token output e.g., term description is rendered...

CVE-2026-4093 Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A token display templates: When the Token module is enabled and token display templates are configured, attacker-controlled token output e.g., term description is rendered...

CVE-2026-4093

CVE-2026-4093 is a stored XSS in the Drupal 7 Term Reference Tree module affecting versions up to and including 7.x-1.11. Two vectors are described: Vector A (token display templates): attacker-controlled token output (e.g., term description) is rendered without proper sanitization when the Token...

Refusal Evaluation in Coding LLMs and Code Agents: A Systematic Review of Thirteen Malicious-Code Prompt Corpora (2023-2025)

The evaluation of large language model refusal on malicious-coding tasks now spans at least thirteen publicly released prompt corpora AdvBench, the CyberSecEval family, RMCBench, RedCode, MCGMark, JailbreakBench, CySecBench, MalwareBench, CIRCLE, MOCHA, ASTRA, Scam2Prompt / Innoc2Scam-bench, and...

Astra Linux - уязвимость в sqlite3

There is a vulnerability in SQLite versions before 3.50.2, where the number of aggregate terms can exceed the number of available columns. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or higher...

CVE-2026-4128

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The deleteterm function, which handles the 'tpmcatttdeleteterm' AJAX action, does not perform any capability check e.g., currentusercan to verify the...

CVE-2026-4128

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The deleteterm function, which handles the 'tpmcatttdeleteterm' AJAX action, does not perform any capability check e.g., currentusercan to verify the...

PT-2026-34291

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete term function, which handles the 'tpmcattt delete term' AJAX action, does not perform any capability check e.g., current user can to verify...

CLSA-2025-1754337993 sqlite: Fix of CVE-2025-6965

CVE-2025-6965: fix memory corruption issue caused by a query where the number of aggregate terms could exceed the number of columns available...

CLSA-2025-1754336638 sqlite: Fix of CVE-2025-6965

CVE-2025-6965: fix memory corruption issue caused by a query where the number of aggregate terms could exceed the number of columns available...

CVE-2026-6597

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function removeapikeys/hasapiterms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated...

CVE-2026-6597 langflow-ai langflow Flow Using API core.py has_api_terms credentials storage

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function removeapikeys/hasapiterms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated...

CVE-2026-6597

langflow-ai (Flow Using API) up to version 1.8.3 is affected by CVE-2026-6597. The vulnerability resides in the code path src/backend/base/langflow/api/utils/core.py, specifically the remove_api_keys/has_api_terms functions, which enables unprotected storage of credentials. The issue can be explo...

CVE-2026-33082 DataEase: SQL Injection in v2 Dataset Export

DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST /de2api/datasetTree/exportDataset is deserialized into a filtering object and passed to...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: sqlite (UTSA-2026-007210)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007210 advisory. There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a...

EUVD-2026-20441

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

CVE-2026-1673

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

CVE-2026-1673 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...