RevealJS postMessage <4.3.0 - Cross-Site Scripting

RevealJS postMessage before 4.3.0 contains a cross-site scripting vulnerability via the document object model. id: CVE-2022-0776 info: name: RevealJS postMessage 4.3.0 - Cross-Site Scripting author: LogicalHunter severity: medium description: RevealJS postMessage before 4.3.0 contains a cross-sit...

PT-2026-50806

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128 Description An arbitrary shell command execution issue exists where UI modules hardcode approval mode to auto, which overrides the administrator configuration set in the PRAISON APPROVAL MODE environment...

CVE-2026-48989

CVE-2026-48989 affects Windows-MCP HTTP transports that expose an unauthenticated control plane with wildcard CORS, enabling arbitrary PowerShell execution via the PowerShell tool when accessed from arbitrary origins. Root cause: FastMCP instance built without authentication and middleware applyi...

EUVD-2026-36565

ApostropheCMS is an open-source Node.js content management system. Versions of the @apostrophecms/cli package up to and including 3.6.0 contain a command injection vulnerability in the apos create command. User-supplied input from the password prompt is embedded directly into a shell command...

CVE-2026-46618

CVE-2026-46618 affects Fission before v1.23.0: pkg/builder/builder.go passed Environment.spec.builder.command directly to exec.Command after strings.Fields, with no validation of the executable path or arguments. A user with Environment CRD privileges in a namespace could point the builder pod to...

CVE-2026-33088

Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement...

CVE-2026-25776

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script...

Important: Red Hat Security Advisory: openssh security update

An update for openssh is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support and Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerabili...

EUVD-2025-209990

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating...

RockyLinux 10 : systemd (RLSA-2026:13651)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2026:13651 advisory. systemd: systemd: Arbitrary code execution or Denial of Service via spurious IPC API call data CVE-2026-29111 Tenable has extracted the preceding description...

SQL Injection

github.com/ory/hydra is vulnerable to SQL Injection. The vulnerability is due to flaws in the pagination token implementation in the listOAuth2Clients, listOAuth2ConsentSessions, and listTrustedOAuth2JwtGrantIssuers Admin APIs, which allows an attacker who knows the pagination or system secret to...

Jsonpickle 代码注入漏洞

Jsonpickle is a software developed by the individual who created Jsonpickle, designed for Python to serialize Python objects into JSON format. Version 2.0.0 of jsonpickle contains a code injection vulnerability. This vulnerability stems from deserialization issues, allowing attackers to execute...

CVE-2026-46508

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and...

CVE-2026-42557 jupyterlab: Command linker attributes in HTML enable one-click command execution from untrusted content

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker listens for all cli...

SQL Injection in Column Type Parameter Allows Arbitrary SQL Execution

None...

CVE-2026-42156

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher...

CVE-2026-42156 Flowsint: Cypher query injection in node type on node creation

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious type that can escape an existing Cypher query and an adversary can execute an arbitrary Cypher...

CVE-2026-7816 pgAdmin 4: OS command injection in Import/Export query export via psql metacommand breakout

OS command injection CWE-78 vulnerability in pgAdmin 4 Import/Export query export. User-supplied input was interpolated directly into a psql \copy metacommand template without sanitization. An authenticated user could inject " TO PROGRAM 'cmd'" to break out of the \copy ... context and achieve...

CVE-2025-61308

CVE-2025-61308 describes a reflected XSS in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c. The underlying issue is an unfiltered variable value that allows attackers to inject arbitrary JavaScript, executed in a user’s browser context. The CVSS 3....

CVE-2026-42215

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...