CVE-2026-33510

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

capstone: Capstone: Heap buffer overflow via skipdata callback allows denial of service or arbitrary code execution.

A flaw was found in Capstone, a disassembly framework. A local attacker could exploit a heap buffer overflow vulnerability by providing a specially crafted skipdata callback. This flaw occurs because the skipdata length is not properly bounds-checked, which may allow an attacker to write beyond...

freerdp: FreeRDP has a heap-use-after-free in video_timer

A use after free flaw has been discovered in FreeRDP. The videotimer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. A malicious server can trigger a client‑side heap use after free causing a crash DoS...

freerdp: FreeRDP has a heap-use-after-free in urb_bulk_transfer_cb

A heap buffer use after free has been discovered in FreeRDP. Asynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urbwritecompletion...

ALSA-2026:6817 Important: capstone security update

Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community. Security Fixes: capstone: Capstone: Memory corruption via unchecked vsnprintf return CVE-2025-68114 capstone: Capstone: Heap buffer overflow via...

PT-2026-30987

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the Live restream log callback flow accepted an attacker-controlled restreamerURL and later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers. The vulnerable flow allowed a low-privilege...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained code vulnerabilities. These vulnerabilities stemmed from the Live re-stream log callback process accepting URLs controlled by attackers, which could lead to...

Malicious code in a2a-chat-canvas (npm)

Malicious package due to suspicious callback URL, hostname exfiltration, preinstall script execution, and only one published version. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d466a45c588940f8279288c439a4665d5368f0a7642c966de8e9fd307bc028b3 The package...

MAL-2026-2524 Malicious code in a2a-chat-canvas (npm)

Malicious package due to suspicious callback URL, hostname exfiltration, preinstall script execution, and only one published version. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d466a45c588940f8279288c439a4665d5368f0a7642c966de8e9fd307bc028b3 The package...

CVE-2026-34969 Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

CVE-2026-34969 Nhost Leaks the Refresh Token via URL Query Parameter in OAuth Provider Callback

Nhost is an open source Firebase alternative with GraphQL. Prior to 0.48.0, the auth service's OAuth provider callback flow places the refresh token directly into the redirect URL as a query parameter. Refresh tokens in URLs are logged in browser history, server access logs, HTTP Referer headers,...

CVE-2026-34764 Electron has a use-after-free in offscreen shared texture release() callback

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain...

CVE-2026-34764 Electron has a use-after-free in offscreen shared texture release() callback

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain...

CVE-2026-33510

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

CVE-2026-33510 DOM-Based XSS in Homarr /auth/login Redirect

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

EUVD-2026-19287

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

CVE-2026-33510

Homarr (open-source dashboard) contains a DOM-based XSS in the /auth/login flow prior to version 1.57.0. The app trusts a URL parameter (callbackUrl) that is passed to redirect and router.push, enabling an attacker with an authenticated user to craft a malicious link that performs a client-side r...

CVE-2026-33510 DOM-Based XSS in Homarr /auth/login Redirect

Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting XSS vulnerability has been discovered in Homarr's /auth/login page. The application improperly trusts a URL parameter callbackUrl, which is passed to redirect and router.push. An attacker can craft a malicious...

Nhost 安全漏洞

Nhost is an open-source backend service platform developed by Nhost. Versions of Nhost prior to 0.48.0 contained security vulnerabilities. These vulnerabilities stemmed from the OAuth provider’s callback process for authentication services, where the refresh token was directly placed as a query...

PT-2026-30629

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.57.0 Description Homarr is an open-source dashboard. A DOM-based Cross-Site Scripting XSS issue exists in the /auth/login page. The application improperly trusts the callbackUrl URL parameter, which is used in redire...