16130 matches found
EUVD-2026-36324
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers...
Moodle 3.8-3.10.3 - Reflected XSS & Open Redirect
Moodle versions 3.10 to 3.10.3, 3.9 to 3.9.6, 3.8 to 3.8.8 contain a reflected XSS and open redirect caused by insufficient sanitization of the redirect URI in the LTI authorization endpoint, letting attackers execute scripts or redirect users maliciously, exploit requires crafted URL with...
WordPress SEO Tools Plugin 4.0.7 - Cross-Site Scripting
The SEO Tools WordPress plugin through version 4.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'src' parameter in the rssread.php file before outputting it back in the page, which could allow attackers to execute arbitrary...
Vite - Arbitrary File Read
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...
RHSA-2026:33722 Red Hat Security Advisory: container-tools:rhel8 security, bug fix, and enhancement update
Bulletin has no description...
container-tools:rhel8 security, bug fix, and enhancement update
An update is available for module.netavark, module.runc, slirp4netns, module.libslirp, criu, module.udica, module.oci-seccomp-bpf-hook, udica, toolbox, netavark, module.python-podman, module.crun, python-podman, module.containers-common, module.conmon, oci-seccomp-bpf-hook,...
CVE-2026-13929
CVE-2026-13929 : In Google Chrome for Android, DevTools policy enforcement is insufficient, allowing a local attacker to bypass navigation restrictions via a malicious file. Affected component: DevTools navigation/policy enforcement; root cause: insufficient policy enforcement in DevTools prior t...
Important: Red Hat Security Advisory: container-tools:rhel8 security, bug fix, and enhancement update
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...
CVE-2026-58168
DeepTutor before version 1.4.10 contains an authorization bypass vulnerability that allows low-privilege users to invoke unrestricted MCP tools due to the allowedmcptools function returning None instead of a denied result when mcptools is omitted from a user's grant in...
CVE-2026-58171
CVE-2026-58171 affects Vibe-Trading prior to 0.1.10. The swarm run directory is built by naïvely joining a caller-supplied run identifier to the base runs directory in agent/src/swarm/store.py, with no validation. A crafted run identifier via MCP swarm tools enables path traversal to read arbitra...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs Security Update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: libtiff: libtiff-4.7.1-2.3.hum1 aarch64, x8664 libtiff-devel-4.7.1-2.3.hum1 aarch64, x8664 libtiff-static-4.7.1-2.3.hum1 aarch64, x8664 libtiff-tools-4.7.1-2.3.hum1 aarch64, x8664...
Malicious code in polymarket-trading-developer-tools (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the...
Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs
Apple on Monday released security updates for iOS, macOS, and the Safari web browser to address over three dozen flaws, including four vulnerabilities in WebKit that were discovered using artificial intelligence AI tools like Anthropic Claude and OpenAI Codex Security. The WebKit vulnerabilities...
CVE-2026-56457
The CVE concerns HCL DevOps Deploy / HCL Launch with a vulnerability that allows exposure of sensitive information via output logs. The description notes that an attacker with access to the logs could potentially obtain sensitive values associated with a step. The Connected CVE lists confirm the ...
PYSEC-2026-472 PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection
Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...
PYSEC-2026-464 PraisonAI Has Path Traversal in FileTools
Executive Summary: The path validation has a critical logic bug: it checks for .. AFTER normpath has already collapsed all .. sequences. This makes the check completely useless and allows trivial path traversal to any file on the system. The path validation function also does not resolve the...
PYSEC-2026-486 PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
Summary executecode in praisonaiagents.tools.pythontools defaults to sandboxmode="sandbox", which runs user code in a subprocess wrapped with a restricted builtins dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper blockedattrs, line 143 of pythontools.py...
The Gentlemen are knocking: сustom backdoors and evolving tactics
Introduction This year saw the emergence of The Gentlemen, a prominent example of a group operating under the ransomware-as-a-service RaaS model. Although our initial assessment suggested the group first appeared in mid-2025, it actually started ramping up its activities at the beginning of 2026...
Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection
Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. id: CVE-2021-42071 info: name: Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection author: gy741 severity: critical description: Visual...
Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: libsolv: libsolv-0.7.39-3.hum1 aarch64, x8664 libsolv-demo-0.7.39-3.hum1 aarch64, x8664 libsolv-devel-0.7.39-3.hum1 aarch64, x8664 libsolv-tools-0.7.39-3.hum1 aarch64, x8664...