Craftql vulnerable to Server-Side Request Forgery

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...

JLSEC-2026-137

Academy Software Foundation OpenEXR EXR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Academy Software Foundation OpenEXR. User interaction is required to exploit this...

SUSE CVE-2026-6385

A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds...

CVE-2026-41015

A flaw was found in radare2. When radare2 is configured on UNIX without SSL, a local attacker can exploit a command injection vulnerability by providing a specially crafted PDB Program Database name to the rabin2 -PP utility. This can lead to arbitrary code execution, allowing the attacker to run...

ROS-20260417-73-0047

Vulnerability in glpi related to failure to take measures to protect sql query structure. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

xrdp 安全漏洞

XRDPT is an open-source remote desktop protocol server developed by Neutrinolabs. Versions of XRDPT prior to 0.10.5 contain security vulnerabilities. These vulnerabilities stem from issues with the session execution component’s handling of permission discarding processes. This could allow...

CVE-2026-31317

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...

CVE-2026-31317

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...

CVE-2026-31317

Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...

SiYuan 安全漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan itself. Versions of SiYuan from 3.6.1 to 3.6.3 have security vulnerabilities. These vulnerabilities stem from the Lute HTML cleanup program not preventing the use of iframe tags, and the URL prefixing mechanism not...

CVE-2026-31317

CVE-2026-31317 affects Craftql v1.3.7 and earlier. The root cause is a Server-Side Request Forgery (SSRF) vulnerability in vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php, which can allow an attacker to execute arbitrary code. Public references consistently describe SSRF as the imp...

NI LabVIEW < 2023 Q3 Patch 9 / 2024.x < 2024 Q3 Patch 6 / 2025.x < 2025 Q3 Patch 4 / 2026.x < 2026 Q1 Patch 1 Multiple Memory Corruption Vulnerabilities

The version of National Instruments NI LabVIEW installed on the remote Windows host is affected by multiple memory corruption vulnerabilities that may result in information disclosure or arbitrary code execution, including the following: - There is an out-of-bounds read vulnerability in...

ROS-20260417-73-0045

Vulnerability in glpi is related to failure to take measures to neutralize special elements in the template creation mechanism. Exploitation of the vulnerability may allow an attacker to execute arbitrary code...

BIT-MLFLOW-2025-10279 Privilege Escalation in mlflow/mlflow

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual...

SUSE CVE-2026-40915

A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel...

CVE-2026-40922

SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...

GHSA-W8HX-HQJV-VJCQ Paperclip: Malicious skills able to exfiltrate and destroy all user data

Summary An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials. Details A malicious skill can instruct the agent to exploit th...

Paperclip: Malicious skills able to exfiltrate and destroy all user data

Summary An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials. Details A malicious skill can instruct the agent to exploit th...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...

Arbitrary Code Injection

Overview @apollo/protobufjs is a language-neutral, platform-neutral, extensible way of serializing structured data for use in communications protocols, data storage, and more, originally designed at Google Affected versions of this package are vulnerable to Arbitrary Code Injection through the...