CVE-2026-32859 ByteDance DeerFlow Stored XSS via Inline Artifact Rendering

ByteDance Deer-Flow versions prior to commit 5dbb362 contain a stored cross-site scripting vulnerability in the artifacts API that allows attackers to execute arbitrary scripts by uploading malicious HTML or script content as artifacts. Attackers can store malicious content that executes in the...

CVE-2026-32859

ByteDance Deer-Flow is affected by a stored XSS in the artifacts API for versions prior to commit 5dbb362. An attacker can upload malicious HTML/script content as artifacts, causing the browser to execute scripts when users view artifacts, potentially leading to session compromise and credential ...

OPENSUSE-SU-2026:20439-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox 140.9.0 ESR MFSA 2026-22, bsc1260083: - CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component - CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component - CVE-2026-468...

CVE-2026-25099

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4...

CVE-2026-25099 Remote Code Execution via Unrestricted File Upload in Bludit

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4...

BIT-ETCD-2026-33413 etcd: Authorization bypasses in multiple APIs

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted...

CVE-2026-33735

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

Malicious Package

Overview @ev-tech/eva-container-api is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in @ev-tech/eva-container-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 000e7dc4c22d822e052329e85f5a615743547eaafc111f35576b780059ca2afb The package @ev-tech/eva-container-api was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2246 Malicious code in @ev-tech/eva-container-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 000e7dc4c22d822e052329e85f5a615743547eaafc111f35576b780059ca2afb The package @ev-tech/eva-container-api was found to contain malicious code. Source: ghsa-malware...

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

CVE-2026-29071

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can read other users' private memories via /api/v1/retrieval/query/collection. Version 0.8.6 patches the issue...

PT-2026-28586

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev97 Description pyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network...

PT-2026-28597

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.5.1 Description Langflow is a tool for building and deploying AI-powered agents and workflows. A flaw exists in the read flow helper within src/backend/base/langflow/api/v1/flows.py. The code branched on the AUTO...

PT-2026-28445

Name of the Vulnerable Software and Affected Versions ByteDance Deer-Flow versions prior to commit 5dbb362 Description The software contains a stored cross-site scripting issue in the artifacts API. An attacker can execute arbitrary scripts by uploading malicious HTML or script content as...

Linux Distros Unpatched Vulnerability : CVE-2026-33743

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Incus is a system container and virtual machine manager. Prior to version 6.23.0, a specially crafted storage bucket backup can be used by an user with access t...

PT-2026-28602

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

PT-2026-28627

Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.81.0 Description Fleet is open source device management software susceptible to a SQL injection issue in its MDM bootstrap package configuration. An authenticated user possessing Team Admin or Global Admin privileges...

Linux Distros Unpatched Vulnerability : CVE-2026-23924

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.containerinfo' parameters when forwarding them to the Docker daemon. An attacker capable of...

Linux Distros Unpatched Vulnerability : CVE-2026-23921

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL...