Security Bulletin: IBM Transformation Advisor is affected by multiple vulnerabilities found in Node.js

Summary There are multiple vulnerabilities in Node.js used by IBM Transformation Advisor. Vulnerability Details CVEID:CVE-2026-44664 DESCRIPTION: fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using...

Astra Linux - уязвимость в node-brace-expansion

A vulnerability was discovered in the juliangruber brace-expansion library up to versions 1.1.11/2.0.1/3.0.0/4.0.0. This issue has been identified as problematic. The affected function is the “expand” function of the file index.js. Manipulation of this function leads to inefficient use of regular...

EUVD-2026-29826

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability CVE-2026-7474 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11...

CVE-2026-6959

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-6959 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11...

NPM: protobuf.js is Vulnerable to OS Command Injection in the CLI

NPM: protobuf.js is Vulnerable to OS Command Injection in the CLI vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

Wish 路径遍历漏洞

Wish is a server tool developed by Charm for simplifying SSH application development. Versions of Wish prior to 2.0.0 and 2.0.1 contained a path traversal vulnerability. This vulnerability stemmed from the SCP middleware not properly verifying file names, which could lead to path traversal attack...

Tubitak Ulakbim LiderAhenk Software 访问控制错误漏洞

Tubitak Ulakbim LiderAhenk Software is an open-source software system developed by the Turkish National Academic Network and Knowledge Center Tubitak Ulakbim. It is used for centralized management, monitoring, and control of systems and users on enterprise networks. In versions 2.0.1 to 2.0.2 of...

AI Development Assistant MCP Server 注入漏洞

The AI Development Assistant MCP Server is an AI development assistant developed by Kevin Leneway. Versions of the AI Development Assistant MCP Server 2.0.1 and earlier have a vulnerability due to command injection in the runCodeReviewTool function found in the src/tools/codeReview.ts file, which...

airflow-clickhouse-plugin (>=1.3.0 <=1.4.0), airflow-dagfactory (=0.19.1) +26 more potentially affected by CVE-2026-41016 via apache-airflow-providers-smtp (>=2.0.1 <=2.4.0rc1)

apache-airflow-providers-smtp PYPI version =2.0.1, =1.3.0, =0.0.1, =0.9.2, =2.9.0, =1.0.0, =0.1.34, =2.10.3, =1.7.3, =1.8.0rc2, =4.3.0, =1.4.10, =0.20.1, =0.30.5rc1 and more Source cves: CVE-2026-41016 Source advisory: OSV:PYSEC-2026-24...

aima (=2023.2.4), appcensus-dynamic-repos (>=2.0.113 <=2.1.117) +27 more potentially affected by CVE-2026-41140 via poetry (>=2.0.1 <=2.3.3)

poetry PYPI version =2.0.1, =2.0.113, =0.0.2, =1.0.7, =0.1.1, =1.5.12, =0.2.0, =0.4.3, =1.5.4, =0.1.2, =0.1.6 and more Source cves: CVE-2026-41140 Source advisory: SNYK:PYTHON-POETRY-16122096...

CVE-2026-4067 Ad Short <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'client' Shortcode Attribute

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The adfunc shortcode handle...

WordPress plugin BuilderPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-1454 Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting

The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfbleadsanitize function which omits certain...

org.apache.iotdb:client-example (>=2.0.1-beta <=2.0.6), org.apache.iotdb:customize-mqtt-example (=2.0.1-beta) +9 more potentially affected by CVE-2026-24015 via org.apache.iotdb:node-commons (>=2.0.1-beta <=2.0.6)

org.apache.iotdb:node-commons MAVEN version =2.0.1-beta, =2.0.1-beta, =2.0.1-beta, =2.0.6 - org.apache.iotdb:iotdb-distribution =2.0.1-beta - org.apache.iotdb:iotdb-server =2.0.1-beta - org.apache.iotdb:pipe-count-point-processor-example =2.0.1-beta - org.apache.iotdb:trigger-example =2.0.1-beta...

WordPress WP-ClanWars plugin <= 2.0.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter vulnerability

Authenticated Administrator+ SQL Injection via 'orderby' Parameter vulnerability discovered by 0x34rth in WordPress Plugin WP-ClanWars versions = 2.0.1...

PT-2026-4576

The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

WordPress Series plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Series versions = 2.0.1...

PT-2025-47802

Name of the Vulnerable Software and Affected Versions Zegen Core versions prior to 2.0.1 Description The Zegen Core plugin for WordPress is susceptible to a Cross-Site Request Forgery CSRF issue leading to Arbitrary File Upload. This is caused by a lack of nonce validation and file type validatio...

EUVD-2023-38157

Malicious code in bioql PyPI...

CVE-2025-48392 Apache IoTDB: DoS Vulnerability

A vulnerability in Apache IoTDB. This issue affects Apache IoTDB: from 1.3.3 through 1.3.4, from 2.0.1-beta through 2.0.4. Users are recommended to upgrade to version 2.0.5, which fixes the issue...