CVE-2026-48776 LangGraph SDK has unsafe URL path construction

LangGraph Python SDK (versions ≤ 0.3.14) has unsafe URL path construction due to unsanitized caller-supplied identifiers in HTTP request paths, which could address the wrong resource or resource type. Impact: potential unintended access, modification, or deletion of resources beyond the caller's ...

CVE-2026-46486 Mobile Verification Toolkit (MVT): Path Traversal via unsanitized File identifiers in iOS Backup processing

MVT Mobile Verification Toolkit helps with conducting forensics of mobile devices in order to find signs of a potential compromise. Prior to version 2026.5.12, there is a path traversal vulnerability via unsanitized File identifiers in iOS Backup processing. This issue has been patched in version...

CVE-2026-39399

NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that ma...

EUVD-2026-31311

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters tablename, indexname, sortby are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated...

GHSA-XP6R-8PCC-XV5P BillaBear is Vulnerable to SQL Injection in the EventRepository

BillaBear all versions prior to Jan 2026 contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf without proper sanitization or identifier quoting. Although...

Filter Expression Injection

Spring AI is vulnerable to Filter Expression Injection. The vulnerability is due to insufficient sanitization of document IDs in MilvusVectorStoredoDeleteList, where attacker-controlled IDs are incorporated into Milvus filter expressions, allowing injection of malicious query conditions that can...

SQL Injection

Focalboard is vulnerable to SQL Injection. The vulnerability is due to improper sanitization of category IDs before they are incorporated into dynamic SQL statements, which allows an attacker to inject malicious SQL that is later executed and used to extract sensitive data from the database...

EUVD-2026-28875

Spring AI's MilvusVectorStoredoDeleteList implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 o...

PT-2026-39225

Name of the Vulnerable Software and Affected Versions Spring AI versions 1.0.0 through 1.0.6 Spring AI versions 1.1.0 through 1.1.5 Description The doDeleteList function in the MilvusVectorStore implementation is susceptible to filter-expression injection. This occurs because document IDs are not...

CVE-2026-33648 AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the restreamer endpoint constructs a log file path by embedding user-controlled usersid and liveTransmitionHistoryid values from the JSON request body without any sanitization. This log file path is then...

CVE-2026-0603

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive informatio...

SQL Injection

Overview sonnixgres is an A production-ready Python library for PostgreSQL database interactions with connection pooling, query caching, and rich console output. Affected versions of this package are vulnerable to SQL Injection due to inadequate sanitization of SQL identifiers in...

PT-2023-32168 · Moodle +8 · Moodle +3

Name of the Vulnerable Software and Affected Versions: Software affected versions not specified Description: The issue concerns a stored XSS risk in the quiz grading report, where ID numbers were not properly sanitized. This could potentially allow for malicious script execution. Recommendations:...

SUSE CVE-2022-23949

In Keylime before 6.3.0, unsanitized UUIDs can be passed by a rogue agent and can lead to log spoofing on the verifier and registrar...