AstrBot has Incomplete Filtering of Special Elements

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

CVE-2026-6984

AstrBotDevs AstrBot up to version 4.22.1 contains a vulnerability in the Dashboard API, specifically in the create_template function (astrbot/dashboard/routes/t2i.py). The issue is improper neutralization of special elements used in the template engine, enabling remote execution. Public exploit i...

CVE-2026-6984

A security flaw has been discovered in AstrBotDevs AstrBot up to 4.22.1. This affects the function createtemplate of the file astrbot/dashboard/routes/t2i.py of the component Dashboard API. The manipulation results in improper neutralization of special elements used in a template engine. The atta...

sqlite: Fix of CVE-2018-8740

CVE-2018-8740: avoid a NULL pointer dereference when the sqlitemaster schema contains a corrupt CREATE TABLE AS entry...

AstrBot 安全漏洞

AstrBot is an open-source multi-platform LLM chatbot and development framework created by AstrBot. Versions of AstrBot 4.22.1 and earlier contained a security vulnerability. This vulnerability stemmed from an issue in the createtemplate function within the Dashboard API’s routes/t2i.py file, wher...

CVE-2026-31646

A flaw was found in the Linux kernel's lan966x network driver. An error in handling the return value from the pagepoolcreate function can lead to the use of an invalid memory pointer. This improper error handling can cause a kernel oops, resulting in a Denial of Service DoS for the affected syste...

CVE-2026-41248

Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers. This vulnerability is fixed in...

Kirby is vulnerable to authorization bypass during page, file and user creation via blueprint injection

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to create pages, files or users pages.create, files.create or users.create permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or v...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the createChainMiddleware function. Even when providers.kubernetesCRD.allowCrossNamespace=false is set, references in spec.chain.middlewares may be followed to access objects in other namespaces. A user with...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the createChainMiddleware function. Even when providers.kubernetesCRD.allowCrossNamespace=false is set, references in spec.chain.middlewares may be followed to access objects in other namespaces. A user with...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the createChainMiddleware function. Even when providers.kubernetesCRD.allowCrossNamespace=false is set, references in spec.chain.middlewares may be followed to access objects in other namespaces. A user with...

CLSA-2026-1777052042 sqlite: Fix of CVE-2018-8740

CVE-2018-8740: avoid a NULL pointer dereference when the sqlitemaster schema contains a corrupt CREATE TABLE AS entry...

CVE-2026-31646

In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix pagepool error handling in lan966xfdmarxallocpagepool pagepoolcreate can return an ERRPTR on failure. The return value is used unconditionally in the loop that follows, passing the error pointer through...

CVE-2026-31567

In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Drop spurious WARNON from pmrestoregfpmask Commit 35e4a69b2003f "PM: sleep: Allow pmrestrictgfpmask stacking" introduced refcount-based GFP mask management that warns when pmrestoregfpmask is called with savedgfpcount ...

CVE-2026-41325

Kirby exposes an authorization bypass vulnerability during creation of pages, files and users via dynamic blueprint injection. Prior to versions 4.9.0 and 5.4.0, an attacker could inject custom blueprint options (e.g., 'create' => true) into the model data, overriding permissions defined in us...

CVE-2026-34587

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from the fact that the changeStatus permission does not take effect during page creation. This could allow authenticated...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from the fact that the changeStatus permission does not take effect during page creation. This could allow authenticated...

GHSA-9WFJ-C55W-J9QR Kirby has XML injection in its XML creator toolkit

TL;DR This vulnerability only affects Kirby sites that use the Xml data handler e.g. Data::encode$string, 'xml' or the Xml::create, Xml::tag or Xml::value methods in site or plugin code. The Kirby core does not use any of the affected methods. If consumers use an affected method and cannot rule o...

CVE-2026-41277 Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key id and internal state fields of DocumentStore entities. Because the...