CVE-2026-34934

Summary: PraisonAI is affected by a second‑order SQL injection in the get_all_user_threads flow. The function builds raw SQL queries by interpolating unescaped thread IDs retrieved from the DB, enabling an attacker to inject via update_thread. When PraisonAI loads the thread list, the payload can...

CVE-2026-34824

CVE-2026-34824 targets the Mesop Python-based UI framework. A vulnerability in the WebSocket handler from version 1.2.3 up to, but not including, 1.2.5 allows an unauthenticated attacker to flood the server with rapid WebSocket messages, causing unbounded thread creation. This thread exhaustion l...

CVE-2026-34824 Mesop: Unbounded Thread Creation in WebSocket Handler Leads to Denial of Service

Mesop is a Python-based UI framework that allows users to build web applications. From version 1.2.3 to before version 1.2.5, an uncontrolled resource consumption vulnerability exists in the WebSocket implementation of the Mesop framework. An unauthenticated attacker can send a rapid succession o...

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization in the process that fetches thread root and reply context, which bypasses the sender allowlist. An attacker can gain unauthorized access to message threads by...

GHSA-9CQ8-3V94-434G PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`

Summary The getalluserthreads function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via updatethread. When the application loads the thread list, the injected payload executes and grants full database...

CVE-2026-23369

A flaw was found in the Linux kernel's i2c i801 driver. Under rare circumstances, multiple udev threads can concurrently access the i801acpiiohandler during system boot. This can lead to a null pointer dereference when the i2clockbus attempts to use an unregistered memory area. A local attacker...

CVE-2026-23297 nfsd: Fix cred ref leak in nfsd_nl_threads_set_doit().

In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsdnlthreadssetdoit. syzbot reported memory leak of struct cred. 0 nfsdnlthreadssetdoit passes getcurrentcred to nfsdsvc, but putcred is not called after that. The cred is finally passed down to...

CVE-2026-23297

In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix cred ref leak in nfsdnlthreadssetdoit. syzbot reported memory leak of struct cred. 0 nfsdnlthreadssetdoit passes getcurrentcred to nfsdsvc, but putcred is not called after that. The cred is finally passed down to...

CVE-2026-25083

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages...

Missing authorization in the OpenAI thread/message API endpoints of GROWI

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Missing authorization in the OpenAI thread/message API endpoints CWE-862 - CVE-2026-25083 This can be exploited only when an attacker knows a shared AI assistant's identifier Sho Odagiri of GMO Cybersecurity by Ierae, In...

CVE-2026-25083

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages...

PT-2026-25629

GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages...

Weseek Growi 安全漏洞

Weseek Growi is an open-source wiki system developed by the Japanese company Weseek, which can be written in Markdown format. Versions of Weseek Growi prior to v7.4.5 contained security vulnerabilities. These vulnerabilities stemmed from the OpenAI thread/message API endpoints not performing...

EulerOS Virtualization 2.12.0 : perl (EulerOS-SA-2026-1509)

According to the versions of the perl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : Perl threads have a working directory race condition where file operations may target unintended paths.If a directory handle is open ...

SUSE SLES15 Security Update : valkey (SUSE-SU-2026:0848-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0848-1 advisory. Update to version 8.0.7. Security issues fixed: - CVE-2025-67733: data tampering and denial of service via improper null character...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 Next.js RCE Scanner !Licensehttps://img.sh...

kernel: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID 0xFFFF, s...

Django has a Race Condition vulnerability

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. Race condition in file-system storage and file-based cache backends in Django allows an attacker to cause file system objects to be created with incorrect permissions via concurrent requests, where one thread's...

SUSE-SU-2026:0685-1 Security update for valkey

This update for valkey fixes the following issues: Update to version 8.0.7. Security issues fixed: - CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. - CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788...

CVE-2026-27630

TinyWeb is a web server HTTP, HTTPS written in Delphi for Win32. Versions prior to version 2.02 are vulnerable to a Denial of Service DoS attack known as Slowloris. The server spawns a new OS thread for every incoming connection without enforcing a maximum concurrency limit or an appropriate...