CVE-2026-25680

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service...

CVE-2026-42228

n8n (open source workflow automation) has a vulnerability in the /chat WebSocket endpoint used by the Chat Trigger node’s Hosted Chat feature. The issue: an unauthenticated attacker could attach to a workflow execution in a waiting state without verifying authorization, receive the pending prompt...

Eval Injection

Agno is vulnerable to Eval Injection. The vulnerability is due to unsafe use of eval on the fieldtype parameter without proper validation, which allows an attacker to execute arbitrary Python code by manipulating input...

CVE-2026-35053

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, the Worker service's ManualAPI exposes workflow execution endpoints GET /workflow/manual/run/:workflowId and POST /workflow/manual/run/:workflowId without any authentication middleware. An attacker who ca...

EUVD-2014-9442

Malware in sbrugna...

EUVD-2018-20477

Malware in sbrugna...

EUVD-2018-17180

Malware in sbrugna...

EUVD-2022-6096

Malicious code in bioql PyPI...

EUVD-2022-38612

Malicious code in bioql PyPI...

EUVD-2022-7229

Malicious code in bioql PyPI...

EUVD-2022-6077

Malicious code in bioql PyPI...

EUVD-2022-6038

Malicious code in bioql PyPI...

EUVD-2022-6626

Malicious code in bioql PyPI...

CVE-2025-59937

go-mail is a comprehensive library for sending mails with Go. In versions 0.7.0 and below, due to incorrect handling of the mail.Address values when a sender- or recipient address is passed to the corresponding MAIL FROM or RCPT TO commands of the SMTP client, there is a possibility of wrong...

CVE-2024-36346

Improper input validation in AMD Power Management Firmware PMFW could allow a privileged attacker from Guest VM to send arbitrary input data potentially causing a GPU Reset condition...

PT-2025-36327

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak where the account console and other pages accept arbitrary text in the error description query parameter. This text is directly rendered in error pages without...

Active Storage allowed transformation methods that were potentially unsafe

Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allowing for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where...

CVE-2025-43020

A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update...

AirKeyboard iOS App 1.0.5 - Remote Input Injection

Exploit Title: AirKeyboard iOS App 1.0.5 - Remote Input Injection Date: 2025-06-13 Exploit Author: Chokri Hammedi Vendor Homepage: https://airkeyboardapp.com Software Link: https://apps.apple.com/us/app/air-keyboard/id6463187929 Version: Version 1.0.5 Tested on: iOS 18.5 with AirKeyboard app '''...

CVE-2024-0038

In injectInputEventToInputFilter of AccessibilityManagerService.java, there is a possible arbitrary input event injection due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...