GHSA-FVCV-3M26-PCQX Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Vulnerability Disclosure: Unrestricted Cloud Metadata Exfiltration via Header Injection Chain Summary The Axios library is vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound...

Arbitrary Code Injection

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

CVE-2026-40175

Axios is a promise based HTTP client for the browser and Node.js. Versions prior to 1.15.0 and 0.3.1 are vulnerable to a specific gadget-style attack chain in which prototype pollution in a third-party dependency may be leveraged to inject unsanitized header values into outbound requests. This...

CVE-2026-5960

A weakness has been identified in code-projects Patient Record Management System 1.0. This affects an unknown part of the file /db/hcpms.sql of the component SQL Database Backup File Handler. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The...

LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf

Summary The isVMLowLevelOptionForbidden function in lxd/project/limits/permissions.go is missing raw.apparmor and raw.qemu.conf from its hardcoded forbidden list. A user with canedit permission on a VM instance in a restricted project can combine these two omissions to bridge the LXD unix socket...

EUVD-2026-20876

LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin...

CVE-2026-33707

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1$email with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the...

GHSA-QH78-RVG3-CV54 Vikunja has File Size Limit Bypass via Vikunja Import

Summary The Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries ...

CVE-2026-23780

An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable...

Security Bulletin: Vulnerabilities in Jetty, Eclipse Jetty,Spring Cloud Netflix Zuul,Spring Framework,Spring Security,NPM package,glob-parent package,jQuery,Braces, go-redis,qs,LZ4,js-yaml might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Jetty, Eclipse Jetty, Spring Cloud Netflix Zuul , Spring Framework, Spring Security, NPM package, glob-parent package, jQuery, Braces, go-redis, qs, LZ4 and js-yaml. Vulnerabilities include , bypassing the...

Security Bulletin: DevOps Test Performance and Rational Performance Tester contains a vulnerabilty related to use of the qs library

Summary Due to use of the qs library, DevOps Test Performance and Rational Performance Tester contain a potential improper input validation vulnerabiity. CVE-2025-15284 Vulnerability Details CVEID:CVE-2025-15284 DESCRIPTION: Improper Input Validation vulnerability in qs parse modules allows HTTP...

SUSE-SU-2026:21167-1 Security update for cockpit-podman

This update for cockpit-podman fixes the following issues: - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive CPU and memory consumption and may crash a Node.js process bsc1257836. - CVE-2026-26996: minimatch: ReDoS when glob pattern contains many consecutive...

EUVD-2026-21318

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can ...

DEBIAN-CVE-2026-6042

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix...

ALPINE-CVE-2026-6042

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix...

UBUNTU-CVE-2026-6042

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix...

CVE-2026-33455

Livestatus injection in the monitoring quicksearch in Checkmk 2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins...

CVE-2026-6026

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can ...

CVE-2026-6015 Tenda AC9 POST Request QuickIndex formQuickIndex stack-based overflow

A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely...

CVE-2026-6003

A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fname leads to cross site scripting. The attack may be performed from remote. The exploit has been...