Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. Prior to Apache Airflow 9.28.0, there were security...

PT-2026-42004

Name of the Vulnerable Software and Affected Versions apache-airflow-providers-amazon versions prior to 9.28.0 Description In the AWS Secrets Manager and SSM Parameter Store secrets backends, the team-scoping logic could resolve a conn id containing a / for example, "my team/conn" to the same pat...

MAL-2026-3892 Malicious code in @antv/f2-context (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/f-my (>=0.0.1 <=1.6.0), @antv/f2-my (>=4.0.0 <=5.0.0-alpha.1) +13 more potentially affected by unknown CVE via @antv/f2-context (>=0.0.0 <=0.0.1)

@antv/f2-context NPM version =0.0.0, =0.0.1, =4.0.0, =2.0.0, =0.1.0, =0.3.1, =0.3.1, =1.0.0, =1.1.0, =1.0.0, =1.0.1 - qn-pc-f2 =0.1.2 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVF2CONTEXT-16755086...

@antv/f-my (>=0.0.1 <=1.6.0), @antv/f2-my (>=4.0.0 <=5.0.0-alpha.1) +13 more potentially affected by unknown CVE via @antv/f2-context (>=0.0.0 <=0.0.1)

@antv/f2-context NPM version =0.0.0, =0.0.1, =4.0.0, =2.0.0, =0.1.0, =0.3.1, =0.3.1, =1.0.0, =1.1.0, =1.0.0, =1.0.1 - qn-pc-f2 =0.1.2 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVF2CONTEXT-16754917...

CVE-2026-8730

A flaw has been found in Open5GS up to 2.7.6. This impacts the function ogssbinfinstancesetid in the library /lib/sbi/context.c of the component NRF. Executing a manipulation of the argument nfInstanceId can lead to denial of service. The attack may be performed from remote. The exploit has been...

Failing Open

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Failing Open when handing multi-tenant HTTP requests ENABLEMULTITENANT=true containing one or neither of the x-n8n-url and x-n8n-key headers. An...

Spring AI MCP Security: Unvalidated URL Fetching (SSRF)

Summary The mcp-security framework fails to implement the mandatory SSRF mitigations outlined in the Model Context Protocol MCP security specifications. Specifically, it processes untrusted URLs for OAuth-related discovery and metadata without verifying if the targets are malicious or internal to...

EUVD-2026-30758

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking window.close in the renderer context, leading to...

acrobat-reader-escape

Adobe Reader JS Sandbox Escape — POC Proof-of-concept for thr...

sec-recon-agent

sec-recon-agent Type-safe security triage built on Pydantic A...

PT-2026-41654

Mattermost Desktop App versions =6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking window.close in the renderer context, leading to...

EUVD-2026-30773

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrar...

PT-2026-41672

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrar...

CVE-2026-29964

HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting XSS vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output...

PT-2026-41691

Name of the Vulnerable Software and Affected Versions mcp-security versions prior to 0.1.9 Description The mcp-security framework fails to implement mandatory Server-Side Request Forgery SSRF mitigations—a flaw where an attacker can induce the server to make requests to an unintended location—as...

CVE-2026-26462

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrar...

CVE-2026-26462

CVE-2026-26462 affects Offline Hospital Management System 5.3.0. The root cause is an improper Electron renderer configuration that enables Node.js integration while disabling context isolation, allowing JavaScript in the renderer to access Node.js APIs and execute arbitrary operating system comm...

CVE-2026-8744

A vulnerability was determined in Open5GS up to 2.7.7. Affected is the function ogssbisubscriptiondataadd/ogssbinfserviceadd in the library /lib/sbi/context.c of the component NRF. Executing a manipulation can lead to denial of service. It is possible to launch the attack remotely. The exploit ha...

CVE-2026-8743

Open5GS AMF/MME (Open5GS up to version 2.7.6) is affected by CVE-2026-8743 in the function ran_ue_find_by_amf_ue_ngap_id (src/amf/context.c). The issue causes improper authorization and can be triggered remotely. Exploit details have been made public. A patch is available (patch identifier: 5746b...