Improper Validation of Array Index

Overview Magick.NET-Q16-HDRI-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

GHSA-VHRH-72HQ-W8M7 ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define

An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation...

ImageMagick: Out-of-Bounds Read in connected components when the user supplies an invalid keep-top define

An invalid connected-components:keep-top value could result in a heap buffer over-read when performing the connected components operation...

GHSA-F946-9QP6-VGCH shopper/framework: Authorization bypass in multiple Livewire admin components

Impact Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: - Order detail Filament actions cancel, mark paid, mark complete, capture payment, archive, start processing were callable with readorders only and di...

shopper/framework: Authorization bypass in multiple Livewire admin components

Impact Multiple Livewire components in the admin panel allowed an authenticated low-privilege user to mutate data without the required permission: - Order detail Filament actions cancel, mark paid, mark complete, capture payment, archive, start processing were callable with readorders only and di...

PT-2026-41776

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An invalid connected-components:keep-top value can lead to a heap buffer over-read during the connected components operation. A heap buffer over-read occurs when...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 Security Lab "React2Shell" This repository c...

Malicious code in bui-react-10components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fd97accb94b52913accc33671fd34134afa96fd92bc09e5d0c440eef9b1a8c6 The package bui-react-10components was found to contain malicious code. Source: ossf-package-analysis...

ROS-20260516-73-0001

A vulnerability in the xfrm components of the Linux kernel is related to an operation exceeding buffer boundaries. Exploitation of the vulnerability could allow an attacker to elevate his privileges to root level...

com.datasqrl.flinkrunner:stdlib-json (>=0.9.0 <=0.10.1), com.datasqrl:sqrl-discovery (>=0.9.0 <=0.10.4) +17 more potentially affected by CVE-2026-35194 via org.apache.flink:flink-table-runtime (=2.2.0)

org.apache.flink:flink-table-runtime MAVEN version =2.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.flink:flink-table-runtime and may be impacted: - com.datasqrl.flinkrunner:stdlib-json =0.9.0, =0.9.0, =0.9.0, =0.9.0, =2.2.0-EXNESS-0.1...

SECpocs

Next.js React Server Components RCE Exploit Exploits CVE-2025...

Security Bulletin: IBM Cognos Analytics is affected by multiple security vulnerabilities

Summary There are vulnerabilities in multiple Open-Source Software OSS components consumed by IBM Cognos Analytics. Please review the below vulnerabilities and take necessary remediation actions. This Security Bulletin relates only to the direct usage of third-party components by IBM Cognos...

firefox: thunderbird: Spoofing issue in the DOM: Core & HTML component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Spoofing issue in the DOM: Core & HTML component...

CVE-2026-44513 Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

CVE-2026-44513

Diffusers 0.38.0 fixes a trust_remote_code bypass in DiffusionPipeline.from_pretrained that allowed arbitrary remote code execution when using custom_pipeline or local snapshots. Root cause: the security gate was checked inside DiffusionPipeline.download(), but some code paths bypassed download()...

Arbitrary Code Injection

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Arbitrary Code Injection via the node-custom-function endpoint when user-supplied JavaScript is executed in a NodeVM sandbox without sufficient route-level authorization. A user can execute...

Incomplete List of Disallowed Inputs

Overview flowise-components is a Flowiseai Components Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs inadequate input validation in the validateCommandFlags and validateArgsForLocalFileAccess functions. An attacker can execute arbitrary commands on the...

NPM: Flowise has an MCP Security Bypass that Enables RCE

NPM: Flowise has an MCP Security Bypass that Enables RCE vulnerability discovered by ? in WordPress Npm flowise-components versions = 3.1.1...

UBUNTU-CVE-2026-33376

When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask usually /128 to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here...

CVE-2026-21821

CVE-2026-21821 affects the HCL BigFix SCM Reporting site, which uses an outdated, end-of-life jQuery 1.x. The description highlights exposure to publicly known weaknesses and potential client-side attacks (e.g., XSS or manipulation via vulnerable third-party components). The CVSS metrics indicate...