CVE-2026-29075 Mesa: Checking out of untrusted code in `benchmarks.yml` workflow may lead to code execution in privileged runner

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commi...

CVE-2026-28429

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone...

CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...

CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...

CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...

CVE-2026-28428

Talishar is affected by an authentication bypass in its game endpoint validation. Before commit a9c218e, a loose string comparison allowed an empty authKey (authKey=) to be treated as valid, enabling unauthenticated users to perform authenticated actions such as sending chat messages and submitti...

EUVD-2026-9982

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone...

CVE-2026-28429

Talishar (Flesh and Blood fan project) has a path traversal flaw in the gameName parameter prior to commit 6be3871. ParseGamestate.php can be accessed as a standalone script, allowing directory traversal sequences (e.g., ../) to reach unauthorized files. The issue is mitigated by the patch in com...

CVE-2026-28429 Talishar: Critical Path Traversal in gameName Parameter

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone...

CVE-2026-28429 Talishar: Critical Path Traversal in gameName Parameter

Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerability was identified in the gameName parameter. While the application's primary entry points implement input validation, the ParseGamestate.php component can be accessed directly as a standalone...

CVE-2025-69653

A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 2025-12-11, in file gcdecrefchild in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort SIGABRT...

PT-2026-23726

Name of the Vulnerable Software and Affected Versions Mesa versions prior to 3.5.1 Description Mesa is a Python library used for agent-based modeling and simulating complex systems. A flaw exists where checking out untrusted code within the benchmarks.yml workflow could allow for code execution...

PT-2026-23648

Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vulnerability in Talishar's game endpoint validation logic allows any unauthenticated attacker to perform authenticated game actions — including sending chat messages and submitting game inputs — by...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: jq (UTSA-2026-005841)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005841 advisory. jq is a command-line JSON processor. In version 1.8.0 a heap use after free vulnerability exists within the function fstrflocaltime of /src/builtin.c. This issue has...

CVE-2026-28484

...

CVE-2026-28484

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

EUVD-2026-9929

OpenClaw versions prior to 2026.2.15 contain an option injection vulnerability in the git-hooks/pre-commit hook that allows attackers to stage ignored files by creating maliciously-named files beginning with dashes. The hook fails to use a -- separator when piping filenames through xargs to git...

CVE-2026-28484

OpenClaw contains an option-injection vulnerability in the git-hooks/pre-commit hook in versions prior to 2026.2.15. The hook fails to use a -- separator when piping filenames through xargs to git add, enabling an attacker to inject git flags by supplying maliciously-named files beginning with da...

Incorrect Regular Expression

Overview fastify is an overhead web framework, for Node.js. Affected versions of this package are vulnerable to Incorrect Regular Expression in the Content-Type header validation. An attacker can cause the server to incorrectly process requests with malformed Content-Type headers by sending value...

PT-2026-23558

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15 Description The software contains an option injection flaw in the git-hooks/pre-commit hook. This allows attackers to stage files that are normally ignored by creating files that begin with dashes. The hook...