EUVD-2026-29009

A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/salessave. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the...

CVE-2026-8256

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. T...

PT-2026-39597

A security flaw has been discovered in Open5GS up to 2.7.7. This issue affects the function smf nsmf handle update data in vsmf of the file /src/smf/nsmf-handler.c of the component SMF. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been releas...

CVE-2026-31247

Docling’s JATS XML backend (up to version 2.61.0) is vulnerable to XML Entity Expansion (XXE). The backend uses etree.parse() without disabling entity resolution, allowing an attacker to submit a crafted XML with nested entity expansions (XML Bomb). Processing such payloads causes exponential ent...

CVE-2026-31249

CosyVoice contains an insecure deserialization vulnerability (CWE-502) in its data processing tool make_parquet_list.py. The script loads PyTorch .pt files (utterance embeddings, speaker embeddings, speech tokens) with torch.load() without enabling weights_only=True, allowing the deserialization ...

PT-2026-39632

Name of the Vulnerable Software and Affected Versions Open5GS versions prior to 2.7.8 Description A remote denial of service can be triggered in the NRF component via the yuarel parse function located in the /lib/sbi/conv.c library. This occurs through the manipulation of the hnrf-uri argument...

PT-2026-39630

Improper restriction of excessive authentication attempts CWE-307 in pgAdmin 4. pgAdmin enforces MAX LOGIN ATTEMPTS only inside its custom /authenticate/login view. Flask-Security's default /login view, which is registered automatically by security.init app and is reachable on every server, never...

CVE-2025-61305

A reflected cross-site scripted XSS vulnerability in the dfm-menufirmware.php component of GmbH Mecury Managed Print Services docuForm v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value...

Guaranteed Jailbreaking Defense Via Disrupt-And-Rectify Smoothing

This paper proposes a guaranteed defense method for large language models LLMs to safeguard against jailbreaking attacks. Drawing inspiration from the denoised-smoothing approach in the adversarial defense domain, we propose a novel smoothing-based defense method, termed Disrupt-and-Rectify...

Unity Linux 20.1070e Security Update: mysql (UTSA-2026-017663)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017663 advisory. Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.26 and prior. Easily exploitable...

Unity Linux 20.1070e Security Update: mysql (UTSA-2026-017753)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017753 advisory. Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.23 and prior. Easily exploitable...

Unity Linux 20.1060e / 20.1070e Security Update: wpa_supplicant (UTSA-2026-017501)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017501 advisory. The implementations of SAE and EAP-pwd in hostapd and wpasupplicant 2.x through 2.8 are vulnerable to side-channel attacks as a result of observable timing differenc...

Under the Hood of SKILL.Md: Semantic Supply-Chain Attacks on AI Agent Skill Registry

Autonomous AI agents increasingly extend their capabilities through Agent Skills: modular filesystem packages whose SKILL.md files describe when and how agents should use them. While this design enables scalable, on-demand capability expansion, it also introduces a semantic supply-chain risk in...

@workos/authkit-session 输入验证错误漏洞

@workos/authkit-session is an open-source session authentication and token management tool developed by WorkOS. Versions of @workos/authkit-session prior to 0.5.1 contained a vulnerability related to input validation errors. This vulnerability stemmed from insufficient validation of the...

Apple多款产品 安全漏洞

Apple iOS, among others, are products of the American company Apple. Apple iOS is an operating system developed for mobile devices. Apple tvOS is an operating system for smart TVs. Apple macOS is a specialized operating system developed for Mac computers. Several Apple products have security...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained code vulnerabilities. These vulnerabilities stemmed from the use of isSSRFSafeURL, which only verified the initial URL. This could allow attackers to bypass SSRF...

PT-2026-39839

Name of the Vulnerable Software and Affected Versions iOS versions prior to 18.7.9 iOS versions prior to 26.5 iPadOS versions prior to 18.7.9 iPadOS versions prior to 26.5 macOS Sonoma versions prior to 14.8.7 macOS Tahoe versions prior to 26.5 tvOS versions prior to 26.5 Description An attacker ...

PT-2026-40259

Name of the Vulnerable Software and Affected Versions Microsoft Edge Chromium-based affected versions not specified Description Improper neutralization of special elements in output used by a downstream component injection allows an unauthorized attacker to elevate privileges over a network...

MATRA: Modeling the Attack Surface of Agentic AI Systems -- OpenClaw Case Study

LLMs are increasingly deployed as autonomous agents with access to tools, databases, and external services, yet practitioners across different sectors lack systematic methods to assess how known threat classes translate into concrete risks within a specific agentic deployment. We present MATRA, a...

When Prompts Become Payloads: A Framework for Mitigating SQL Injection Attacks in Large Language Model-Driven Applications

Natural language interfaces to structured databases are becoming increasingly common, largely due to advances in large language models LLMs that enable users to query data using conversational input rather than formal query languages such as SQL. While this paradigm significantly improves usabili...