10791 matches found
CVE-2026-48192
CVE-2026-48192 affects Mendix Studio Pro across multiple versions (10.x and 11.x) with a flaw where built project files are not properly validated/sanitized during the build pipeline. An attacker could trick a user into opening and running a specially crafted malicious project locally, potentiall...
OPENSUSE-SU-2026:21179-1 Security update for lrzip
This update for lrzip fixes the following issues: Changes in lrzip: - Update to version 0.660: Do not clean up thread structures in decompression failure conditions, fixing a use-after-free in lzmadecompressbuf and a NULL pointer dereference in ucompthread on corrupt/malicious archives...
PT-2026-54038
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description Capgo lacks an UPDATE row-level security policy for the build requests table. This missing policy prevents API-key and anonymous access from persisting builder status updates. An attacker can exploi...
PT-2026-53958
Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.9.6 Description A missing authentication flaw exists in the /api/v1/build public tmp/ endpoints. This allows an unauthenticated attacker to use a valid job identifier to read build event data or cancel...
PT-2026-53956
Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.9.3 Description A code injection flaw allows an unauthenticated remote attacker to gain full control over the system without user interaction. This enables the attacker to read all secrets available to...
RHEL 10 : kernel (RHSA-2026:33486)
The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:33486 advisory. A special build of the kernel packages for Red Hat Enterprise Linux for NVIDIA. For more details about the security issues, including the...
CVE-2026-34597
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution RCE vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the...
CVE-2026-34597
CVE-2026-34597 affects Coolify prior to 4.0.0-beta.470. The vulnerability lies in how user-supplied build parameters for the Nixpacks build pack are handled: the install_command provided by a user is directly concatenated into a shell command string executed on the deployment host during the buil...
CVE-2026-34597 Coolify: Authenticated Host RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution RCE vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the...
CVE-2026-34597 Coolify: Authenticated Host RCE
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.470, a critical Authenticated Host Remote Code Execution RCE vulnerability was discovered in Coolify. The flaw resides in the handling of user-defined build parameters for the...
CVE-2026-57951
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
CVE-2026-57951 Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
CVE-2026-57951
Summary: Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied OR condition that bypasses operation-scoped access controls. This allows authenticated operators and spectators to read fields (step_stdout, step_stderr, step_name, ...
CVE-2026-57951 Mythic < 3.4.0.60 - Broken Permission Filter in payload_build_step Table
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
Security Bulletin: Multiple Vulnerabilities in IBM DevOps Build.
Summary Multiple vulnerabilities were addressed in IBM DevOps Build 7.1.0.4. Vulnerability Details CVEID:CVE-2026-41284 DESCRIPTION: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M...
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
SummaryThe POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...
PYSEC-2026-379 Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Summary The POST /api/v1/buildpublictmp/flowid/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow...
PT-2026-53669
Name of the Vulnerable Software and Affected Versions Mythic versions prior to 3.4.0.60 Description A broken Hasura permission filter exists on the payload build step table. This issue involves an always-satisfied or condition that bypasses operation-scoped access controls. Consequently,...
Linux Distros Unpatched Vulnerability : CVE-2026-44517
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive CVE-2026-44517 Note that Nessus relies on the presence of t...
Malicious code in @k18n/creatormarketplace-admin-language (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6213acbcf6c562c8a7690e6018490d502d8df9377a2ed85c5bca9d828ed261c8 Package claims the @k18n npm scope used internally by Kuaishou and publishes at version 99.0.0 — the canonical high-version dependency-confusion shap...