CVE-2026-27795 LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader

LangChain is a framework for building LLM-powered applications. Prior to version 1.1.8, a redirect-based Server-Side Request Forgery SSRF bypass exists in RecursiveUrlLoader in @langchain/community. The loader validates the initial URL but allows the underlying fetch to follow redirects...

APFuzz: Towards Automatic Greybox Protocol Fuzzing

Greybox protocol fuzzing is a random testing approach for stateful protocol implementations, where the input is protocol messages generated from mutations of seeds, and the search in the input space is driven by the feedback on coverage of both code and state. State model and message model are th...

injectproof

InjectProof The SQL injection scanner that finds what sqlma...

CVE-2026-26974

CVE-2026-26974 (Slyde) affects Slyde versions 0.0.4 and earlier. The root cause is Node.js automatically importing any /**.plugin.{js,mjs} files, including those from node_modules, enabling a malicious package with a .plugin.js file to execute arbitrary code when installed or required. Impact is ...

Automatic, Expressive, and Scalable Fuzzing with Stitching

Fuzzing is a powerful technique for finding bugs in software libraries, but scaling it remains difficult. Automated harness generation commits to fixed API sequences at synthesis time, limiting the behaviors each harness can test. Approaches that instead explore new sequences dynamically lack the...

CVE-2026-27180

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin method through the /objects/?module=saverestore endpoint without authentication because it uses gr'mode'...

CVE-2025-9292

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful...

CVE-2025-9292

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful...

CVE-2025-9292 Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful...

CVE-2025-9292 Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers

A permissive web security configuration may allow cross-origin restrictions enforced by modern browsers to be bypassed under specific circumstances. Exploitation requires the presence of an existing client-side injection vulnerability and user access to the affected web interface. Successful...

PT-2026-8013

Name of the Vulnerable Software and Affected Versions Cursor versions prior to 2.5 Description A sandbox escape allows for remote code execution RCE when the AI agent autonomously performs Git operations. A malicious actor can hide scripts within hidden Git hooks in nested bare repositories or us...

Nikto Web Scanner 2.6.0

Nikto is an Open Source GPL web server scanner which performs comprehensive tests against web servers for multiple items, including thousands of potentially dangerous files/programs, checks for outdated versions of over 1500 server components, and version specific problems on hundreds of servers...

PT-2026-21972

Name of the Vulnerable Software and Affected Versions LangChain versions prior to 1.1.18 @langchain/community versions prior to 1.1.18 Description A redirect-based Server-Side Request Forgery SSRF bypass exists in the RecursiveUrlLoader within the @langchain/community package. The loader initiall...

Fedora 45 : selenium-manager (2026-a92ff0085d)

The remote Fedora 45 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-a92ff0085d advisory. Automatic update for selenium-manager-4.34.0-6.fc45. Changelog Tue Feb 10 2026 tjuhasz - 4.34.0-6 - Rebuild for CVE-2026-25727 rhbz2438154 Tenable has...

Vulnerability Found in InsightVM & Nexpose: CVE-2026-1814 (FIXED)

We are grateful to the research team at Atredis for sharing their findings around a vulnerability CVE-2026-1814 impacting our vulnerability management offerings InsightVM and Nexpose. We have identified a fix that addresses this vulnerability and will be delivered via a Security Console product...

GHSA-MHG7-666J-CQG4 Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions

Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this require...

GHSA-X9P2-77V6-6VHF FrankenPHP has delayed propagation of security fixes in upstream base images

Delayed propagation of security fixes in upstream base images Summary Vulnerability in base Docker images PHP, Go, and Alpine not automatically propagating to FrankenPHP images. FrankenPHP's container images were previously built only when specific version tags were updated or when manual trigger...

FacturaScripts 安全漏洞

FacturaScripts is an open-source ERP software developed by Carlos Garcia, a Spanish developer. Versions of FacturaScripts prior to 2025.81 contained security vulnerabilities. These vulnerabilities stemmed from the automatic completion feature, where user-provided parameters were directly...

Fedora 44 : vultr-cli (2026-ce174cdc78)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-ce174cdc78 advisory. Automatic update for vultr-cli-3.8.0-1.fc44. Changelog Wed Feb 4 2026 Major Hayden - 3.8.0-1 - Update to 3.8.0 - Fixes CVE-2025-11065: go-viper/mapstructure...

GHSA-VHW5-3G5M-8GGF Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains

Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org, modelcontextprotocol.io, this could have enabled attackers to register domains like...