GHSA-64VR-4GR2-M642 automagik-genie has a command injection vulnerability

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...

CVE-2026-30635

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...

Ella Core has handover failures during concurrent Security Mode Command

Summary Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending and vice versa. Impact Concurrent Security Mode Command and N2 handover produce a KgNB...

GHSA-MC29-HMX6-856Q Ella Core has handover failures during concurrent Security Mode Command

Summary Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could send a NAS Security Mode Command while an N2 handover was still pending and vice versa. Impact Concurrent Security Mode Command and N2 handover produce a KgNB...

Improperly Implemented Security Check for Standard

Overview Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification of UE Security Capabilities in the PathSwitchRequest messages. An attacker can alter stored security capabilities for any user equipment by sending a crafte...

Command Injection

Overview bentoml is a BentoML: Build Production-Grade AI Applications Affected versions of this package are vulnerable to Command Injection via the docker.baseimage configuration parameter. An attacker can execute arbitrary commands on the host system by supplying a malicious multi-line value in...

BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)

The same Dockerfile template that mishandles envs.name pending GHSA-w2pm-x38x-jp44 also interpolates docker.baseimage raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.baseimage value smuggles arbitrary Dockerfile directives into the generated...

GHSA-78F9-R8MH-4XM2 BentoML Dockerfile command injection via docker.base_image (sister of pending GHSA-w2pm-x38x-jp44 / CVE-2026-33744 / CVE-2026-35043)

The same Dockerfile template that mishandles envs.name pending GHSA-w2pm-x38x-jp44 also interpolates docker.baseimage raw with no escaping, newline filtering, or validation. A malicious bento.yaml with a multi-line docker.baseimage value smuggles arbitrary Dockerfile directives into the generated...

Important: Red Hat Security Advisory: Red Hat Ceph Storage

A new version of Red Hat build of Ceph Storage has been released The Red Hat Storage Ceph container images are based on the latest ubi9 base image and Ceph 8.1. This release updates to the latest version...

BIT-GOLANG-2026-42501 Malicious module proxy can bypass checksum database in cmd/go

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy GOMODPROXY or checksum database GOSUMDB. A malicious module proxy can serve altered versions o...

CVE-2026-30635

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...

CVE-2026-30635

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...

PT-2026-39663

Name of the Vulnerable Software and Affected Versions BentoML versions prior to 1.4.39 Description BentoML is a Python library used for building online serving systems optimized for AI applications and model inference. The issue occurs because the template src/bentoml/...

CVE-2026-30635

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...

PT-2026-39669

Name of the Vulnerable Software and Affected Versions Ella Core versions prior to 1.10.0 Description Ella Core, a 5G core for private networks, fails to verify UE Security Capabilities received in NGAP 'PathSwitchRequest' messages against locally stored values. This allows a malicious gNB to...

Unity Linux 20.1070e Security Update: mysql (UTSA-2026-017663)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017663 advisory. Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.26 and prior. Easily exploitable...

Unity Linux 20.1060e / 20.1070e Security Update: qt5-qtbase (UTSA-2026-017636)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017636 advisory. An out-of-bounds memory access in the generateDirectionalRuns function in qtextengine.cpp in Qt qtbase 5.11.x and 5.12.x before 5.12.5 allows attackers to cause a...

CVE-2026-30635

CVE-2026-30635 describes a command-injection vulnerability in the automagik-genie 2.5.27 MCP Server. The issue affects the readTranscriptFromCommit path in dist/mcp/server.js, where an attacker can trigger arbitrary command execution via the view_task (also known as view) when reading from an ext...

PT-2026-39708

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view task aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE BASE URL...

Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint wi...