PYSEC-0000-CVE-2026-42359

A bug in Apache Airflow's XCom PATCH endpoint PATCH /api/v2/xcomEntries/key allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names e.g. returnvalue that the matching POST endpoint already validated against FORBIDDENXCOMKEYS. The...

PT-2026-26441

Name of the Vulnerable Software and Affected Versions SuiteCRM versions 7.15.0 and 8.9.2 Description SuiteCRM is an open-source Customer Relationship Management CRM software application. A critical Remote Code Execution RCE issue exists, allowing authenticated administrators to execute arbitrary...

A deep dive into MUTZ

AtDEF CON 33, we shared our research into MapUrlToZone, a critical Windows security component that determines whether a given path is local, on the intranet, or on the broader Internet. This classification drives several security decisions across Windows, for example, preventing a CreateFile call...

CVE-2025-61590 Cursor is vulnerable to RCE via .code-workspace files using Prompt Injection

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution RCE attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings pretty similar to .vscode/settings.json for...

Improper Control of Generation of Code ('Code Injection')

Overview Affected versions of this package are vulnerable to Improper Control of Generation of Code 'Code Injection'. This is due to a bypass of CVE-2024-27980. A malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. Note...