PT-2026-41731

Name of the Vulnerable Software and Affected Versions Claude HUD versions 0.0.0 through 0.0.12 Description A path traversal issue allows attackers to read arbitrary files by providing an unvalidated transcript path value via stdin JSON. This enables access to any file readable by the process...

EUVD-2026-30706

Net::Statsd::Tiny versions before 0.3.8 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics...

CVE-2026-46720

Net::Statsd::Tiny for Perl is affected by CVE-2026-46720 in versions before 0.3.8. The vulnerability arises because metric names and set values are not validated for newlines, colons, or pipes, allowing metrics from untrusted sources to inject additional statsd metrics. Affected product/version: ...

Net::Statsd::Tiny 注入漏洞

Net::Statsd::Tiny is a lightweight StatsD client developed by Robert Rothenberg, which supports the aggregation of multiple metrics. Versions of Net::Statsd::Tiny prior to 0.3.8 had an injection vulnerability. This vulnerability stemmed from the lack of checks for line breaks, colons, or vertical...

CVE-2026-45299 Open WebUI: Stored Cross-Site Scripting In Profile Picture

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, the profileimageurl field on the user profile update form accepted arbitrary data: URI values without MIME-type validation, resulting in a XSS vulnerability. This vulnerability is...

CVE-2026-31156

A path injection vulnerability exists in OpenPLC v3 2c82b0e79c53f8c1f1458eee15fec173400d6e1a as the binary program compiled from gluegenerator.cpp does not perform any validation on the file path parameters passed via the command line. The user-controlled input parameters are directly passed to t...

SUSE CVE-2023-7101

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution ACE vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of...

EUVD-2026-30206

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection...

CVE-2026-8500

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated or escaped, and is used as the last argument on the command line, allowing for command injection...

CVE-2026-41693

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting fil...

CVE-2026-42548

Flight (PHP micro-framework) contains a reflected XSS in Flight::jsonp() prior to version 3.18.1, where the ?jsonp= parameter is concatenated into a JavaScript response without validating the callback name. This allows an attacker to inject arbitrary JavaScript that executes in the response origi...

CVE-2026-44455

Summary: CVE-2026-44455 affects hono/jsx in the Hono web framework. Prior to version 4.12.16, unvalidated JSX tag names used via programmatic jsx() or createElement() during server-side rendering could be inserted into HTML output, allowing untrusted input to break element context and inject unin...

CVE-2026-31220

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syftfunction for remote execution on the server. While a...

CVE-2026-31220

PySyft Syft Datasite/Server versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions via @sy.syftfunction for remote execution on the server. While a...

GHSA-65H7-C7C4-MGHX MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability

A Server-Side Request Forgery SSRF vulnerability exists in MLflow versions prior to 3.9.0. The createwebhook function in mlflow/server/handlers.py accepts a user-controlled url parameter without validation, and the sendwebhookrequest function in mlflow/webhooks/delivery.py sends HTTP POST request...

GHSA-M85W-WHWH-QVFX GPT-Pilot contains a command injection vulnerability in the Executor.run() method

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...

EUVD-2026-29054

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...

EEF-CVE-2026-43969 Cookie Request Header Injection via Unvalidated Encoder in cow_cookie:cookie/1

Summary Improper Neutralization of CRLF Sequences 'CRLF Injection' vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cowcookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value...

CVE-2026-31246

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...

CVE-2026-31246

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 2025-09-03 contains a command injection vulnerability CWE-78 in the Executor.run method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper...