205492 matches found
xrdp 安全漏洞
XRDPT is an open-source remote desktop protocol server developed by Neutrinolabs. Versions of XRDPT prior to 0.10.5 contain security vulnerabilities. These vulnerabilities stem from issues with the session execution component’s handling of permission discarding processes. This could allow...
ROS-20260417-73-0047
Vulnerability in glpi related to failure to take measures to protect sql query structure. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...
CVE-2026-31317
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...
NI LabVIEW < 2023 Q3 Patch 9 / 2024.x < 2024 Q3 Patch 6 / 2025.x < 2025 Q3 Patch 4 / 2026.x < 2026 Q1 Patch 1 Multiple Memory Corruption Vulnerabilities
The version of National Instruments NI LabVIEW installed on the remote Windows host is affected by multiple memory corruption vulnerabilities that may result in information disclosure or arbitrary code execution, including the following: - There is an out-of-bounds read vulnerability in...
SiYuan 安全漏洞
SiYuan is an open-source personal knowledge management system developed by SiYuan itself. Versions of SiYuan from 3.6.1 to 3.6.3 have security vulnerabilities. These vulnerabilities stem from the Lute HTML cleanup program not preventing the use of iframe tags, and the URL prefixing mechanism not...
CVE-2026-31317
CVE-2026-31317 affects Craftql v1.3.7 and earlier. The root cause is a Server-Side Request Forgery (SSRF) vulnerability in vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php, which can allow an attacker to execute arbitrary code. Public references consistently describe SSRF as the imp...
CVE-2026-31317
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...
CVE-2026-31317
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...
ROS-20260417-73-0045
Vulnerability in glpi is related to failure to take measures to neutralize special elements in the template creation mechanism. Exploitation of the vulnerability may allow an attacker to execute arbitrary code...
BIT-MLFLOW-2025-10279 Privilege Escalation in mlflow/mlflow
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions 0o777. This vulnerability allows an attacker with write access to the /tmp directory to exploit a race condition and overwrite .py files in the virtual...
SUSE CVE-2026-40915
A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel...
CVE-2026-40922
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...
Paperclip: Malicious skills able to exfiltrate and destroy all user data
Summary An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials. Details A malicious skill can instruct the agent to exploit th...
GHSA-W8HX-HQJV-VJCQ Paperclip: Malicious skills able to exfiltrate and destroy all user data
Summary An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials. Details A malicious skill can instruct the agent to exploit th...
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview mathjs is a math library for JavaScript and Node.js. It features a flexible expression parser with support for symbolic computation, comes with a large set of built-in functions and constants, and offers an integrated solution to work with diff. Affected versions of this package are...
Arbitrary Code Injection
Overview protobufjs is a protocol buffer for JavaScript & TypeScript. Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code ...
Arbitrary Code Injection
Overview @apollo/protobufjs is a language-neutral, platform-neutral, extensible way of serializing structured data for use in communications protocols, data storage, and more, originally designed at Google Affected versions of this package are vulnerable to Arbitrary Code Injection through the...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the handling of user-supplied protobuf definitions, specifically via the Type's name field. An attacker can execute arbitrary JavaScript code by injecting malicious payloads into the protobuf definition,...
Arbitrary Code Injection
Overview flowise-ui is a Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper sanitization. This is only...
Arbitrary Code Injection
Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the customReadCSVFunc process. An attacker can execute arbitrary code on the server by supplying malicious input that is interpolated and executed without proper...