PT-2026-42668

📋 Reframing 2026-05-02: implicit unsafe remote-code path, not "supply-chain" The accurate description of this vulnerability is: "get model arch and related helpers hardcode trust remote code=True with no opt-out, creating an implicit unsafe remote-code load path on every model fetch." What this...

c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects

A flaw was found in c3p0, a Java Database Connectivity JDBC Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or javax.naming.Reference instances. By manipulating the userOverridesAsString...

Security Bulletin: CVE-2025-36024 vulnerability have been identified with the DS8900F and DS8A00 Hardware Management Console (HMC)

Summary DS8900F and DS8A00 updates have been released to remediate user enumeration errors. Review the Vulnerability Details section below for additional information. Vulnerability Details CVEID:CVE-2025-36024 DESCRIPTION: IBM System Storage DS8000 could allow a remote attacker to obtain sensitiv...

NVIDIA IGX Orin 安全漏洞

NVIDIA IGX Orin is an industrial-grade edge AI platform from NVIDIA that delivers high performance, advanced functional safety and information security. A security vulnerability exists in the NVIDIA IGX Orin, which originates in the UEFI firmware RCM boot mode and allows an attacker with physical...

PT-2024-41432 · Crates.Io · Wasmtime-Jit-Debug

The unsound function dump code load record uses from raw parts to directly convert the pointer addr and len into a slice without any validation and that memory block would be dumped. Thus, the 'safe' function dump code load record is actually 'unsafe' since it requires the caller to guarantee tha...

PT-2023-16286 · Google · Youtube Embedded 1.2 Sdk

Name of the Vulnerable Software and Affected Versions: YouTube Embedded 1.2 SDK Description: The YouTube Embedded 1.2 SDK has a potential vulnerability in its binding logic. After binding to a service within the YouTube Main App, a remote context is created with the flags Context.CONTEXT INCLUDE...

SUSE CVE-2020-14372

A flaw was found in grub2 in versions prior to 2.06, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table SSDT containing code to overwrite the Linux kernel lockdow...

ChiKoi 1.0 Cross Site Scripting

==================================================================================================================================== | Title : ChiKoi version 1.0 XSS Vulnerability | | Author : indoushka | | Tested on : windows 10 Français V.Pro / browser : Mozilla firefox 65.032-bit | | Vendor :...

grub2: acpi command allows privileged user to load crafted ACPI tables when Secure Boot is enabled

A flaw was found in GRUB 2, where it incorrectly enables the usage of the ACPI command when Secure Boot is enabled. This flaw allows an attacker with privileged access to craft a Secondary System Description Table SSDT containing code to overwrite the Linux kernel lockdown variable content direct...

CVE-2020-8224

A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory...

Node.js third-party modules: [domokeeper] Unintended Require

I would like to report Unintended Require vulnerability in domokeeper It allows reading arbitary json files and load non-production code. Module module name: domokeeper version: 0.2.0 npm page: https://www.npmjs.com/package/domokeeper Module Description domokeeper server: a pluggable domotic...