Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the setderivedvalues function of the picparameterset component when processing a malformed H.265 PPS NAL unit. An attacker can cause a segmentation fault and crash the application by supplying specially...

UBUNTU-CVE-2026-33154

dynaconf is a configuration management tool for Python. Prior to version 3.2.13, Dynaconf is vulnerable to Server-Side Template Injection SSTI due to unsafe template evaluation in the @Jinja resolver. When the jinja2 package is installed, Dynaconf evaluates template expressions embedded in...

EUVD-2026-13639

Qwik City has array method pollution in FormData processing allows type confusion and DoS...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Range or Values summarizer, which renders raw database values without escaping HTML. An attacker can execute arbitrary HTML or JavaScript in the context of affected users by injecting malicious content...

CVE-2026-33080

Filament (Laravel) has a stored XSS risk in the Table summarizers Range and Values. Affected versions: 4.0.0–4.8.4 and 5.0.0–5.3.4 render raw database values without escaping HTML, enabling malicious HTML/JavaScript in unvalidated data shown by those summarizers. Remediation: upgrade to 4.8.5 or ...

CVE-2026-33080 Filament: Unvalidated Range and Values summarizer values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers Range, Values that render raw database values without escaping HTML. If there is a lack of validation for the data in the...

CVE-2026-33080 Filament: Unvalidated Range and Values summarizer values can be used for XSS

Filament is a collection of full-stack components for accelerated Laravel development. Versions 4.0.0 through 4.8.4 and 5.0.0 through 5.3.4 have two Filament Table summarizers Range, Values that render raw database values without escaping HTML. If there is a lack of validation for the data in the...

PT-2026-26691

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. An...

PT-2026-26593

Summary Qwik City improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays...

CVE-2026-32721 LuCI luci-mod-network: Possible XSS attack in WiFi scan on Joining Wireless Client modal

LuCI is the OpenWrt Configuration Interface. Versions prior to both 24.10.5 and 25.12.0, contain a stored XSS vulnerability in the wireless scan modal, where SSID values from scan results are rendered as raw HTML without any sanitization. The wireless.js file in the luci-mod-network package passe...

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Overview Affected versions of this package are vulnerable to Incorrect Usage of Seeds in Pseudo-Random Number Generator PRNG via induced transient faults in the Keccak-based expansion process. An attacker can compromise key material and cryptographic outcomes by physically manipulating seed or...

CVE-2026-3503

Protection mechanism failure in wolfCrypt post-quantum implementations ML-KEM and ML-DSA in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect seed/pointer values during...

HCL AION Information Disclosure Vulnerability (CNVD-2026-15145)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from an information disclosure vulnerability that stems from the predictability of certain identifiers, which can be exploited by an attacker to cause the attacker to infer or guess system-generated values, triggerin...

wolfSSL 安全漏洞

wolfSSL CyaSSL is a small, portable embedded SSL programming library developed by the American company wolfSSL, designed for developers working with embedded systems. There is a security vulnerability in wolfSSL. This vulnerability stems from a protection mechanism that fails in the post-quantum...

PT-2026-26477

Name of the Vulnerable Software and Affected Versions DiceBear versions prior to 5.4.4 DiceBear versions 6.1.4 and earlier DiceBear versions 7.1.4 and earlier DiceBear versions 8.0.3 and earlier DiceBear versions 9.4.1 and earlier Description The software does not properly escape SVG attribute...

GHSA-VV3X-J2X5-36JC Filament Unvalidated Range and Values summarizer values can be used for XSS

Two Table summarizers Range, Values render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with...

Filament Unvalidated Range and Values summarizer values can be used for XSS

Two Table summarizers Range, Values render raw database values without escaping HTML. If there is a lack of validation for the data in the columns that use these summarizers, an attacker could plant malicious HTML / JavaScript and achieve stored XSS that executes for users who view the table with...

EUVD-2026-12934

HTSlib is a library for reading and writing bioinformatics file formats. CRAM is a compressed format which stores DNA sequence alignment data. In the cramdecodeslice function called while reading CRAM records, validation of the reference id field occurred too late, allowing two out of bounds read...

GHSA-QQ9G-96V4-M3CJ Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Summary The Select schema plugin in @pdfme/schemas constructs HTML from template-defined option values using unsanitized string interpolation and sets it via innerHTML, enabling arbitrary JavaScript execution. Details In packages/schemas/src/select/index.ts, lines 159-164, the Select schema's ui...

MAL-2026-1699 Malicious code in constant-values (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3eef7c3f6399148abe5dab50aeb81b1f42322e6ab93c0a116e7426486bb8ef0a The package constant-values was found to contain malicious code...