CVE-2026-41426 pretalx: Email injection via unescaped user-controlled placeholders in pretalx mail templates

pretalx is a conference planning tool. Prior to 2026.1.0, an unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account displ...

ai-security-poc

AI Security POC A fully containerised proof-of-concept for te...

GHSA-7HRG-5W46-5R2X Duplicate Advisory: OpenClaw: Slack thread context could include messages from non-allowlisted senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-qm77-8qjp-4vcm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages ...

CVE-2026-41677 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

CVE-2026-41676 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

CVE-2026-41681 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

GHSA-XMGF-HQ76-4VX2 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

GHSA-PQF5-4PQQ-29F5 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

GHSA-HPPC-G8H3-XHP3 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

GHSA-GHM9-CR32-G9QJ vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

GHSA-8C75-8MHR-P7R9 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

CVE-2026-41678 vulnerabilities

Vulnerabilities for packages: sccache, bootc, rustup, typst, sdp-k8s-injector, komodo, rustls-openssl-client, rpm-sequoia, sentry-cli, vector, guestproxyagent, deno, ztunnel-fips, sqlx, valkey-ldap...

SUSE CVE-2026-31432

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix OOB write in QUERYINFO for compound requests When a compound request such as READ + QUERYINFOSecurity is received, and the first command READ consumes most of the response buffer, ksmbd could write beyond the allocated...

MCP Pitfall Lab: Exposing Developer Pitfalls in MCP Tool Server Security under Multi-Vector Attacks

Model Context Protocol MCP is increasingly adopted for tool-integrated LLM agents, but its multi-layer design and third-party server ecosystem expand risks across tool metadata, untrusted outputs, cross-tool flows, multimodal inputs, and supply-chain vectors. Existing MCP benchmarks largely measu...

Infinite loop

Overview justhtml is an A pure Python HTML5 parser that just works. Affected versions of this package are vulnerable to Infinite loop via custom sanitization policies or programmatic DOM manipulation. An attacker can inject and execute arbitrary scripts, cause resource loading, or trigger externa...

CVE-2026-40937

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a checkpermissions helper that validates authentication only access key + session token, without performing any...

EUVD-2026-24955

A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG Scalable Vector Graphics CSS Cascading Style Sheets data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial...

CVE-2026-6861

A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG Scalable Vector Graphics CSS Cascading Style Sheets data. A local user could exploit this by convincing a victim to open a malicious SVG file, which may lead to a denial...

CVE-2026-31438

CVE-2026-31438 affects the Linux kernel netfs code. A BUG occurs in netfs_limit_iter() when processing ITER_KVEC iterators (e.g., during core-dump to 9P), because ITER_KVEC is not dispatched like other supported types. The fix adds netfs_limit_kvec() (paralleling netfs_limit_bvec()) and dispatche...

CVE-2026-6861

A CVE-2026-6861 vulnerability affects GNU Emacs and relates to memory corruption when Emacs processes specially crafted SVG CSS data. A local attacker could entice a user to open a malicious SVG file, which may lead to a denial of service or information disclosure. Public references in the connec...