CVE-2026-41696 Spring Data MongoDB Bind Parameter Literal Quoting Breakout

Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of the bound parameter. An attacker can supply a crafted string to break out of the intended regular expression quoting. Affected versions: Spring Data MongoDB 5.0.0...

CVE-2026-41696

Spring Data MongoDB CVE-2026-41696 affects multiple versions (5.0.0–5.0.5; 4.5.0–4.5.11; 4.4.0–4.4.14; 4.3.0–4.3.16; 4.2.0–4.2.15; 4.1.0–4.1.14; 4.0.0–4.0.15; 3.4.0–3.4.19). The issue is insufficient validation of bound parameters in repository query methods annotated with @Query that use regex b...

CVE-2026-41695 Denial of Service in Spring Data Commons Property Path Resolution

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through...

EUVD-2026-35891

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through...

CVE-2026-41695 Denial of Service in Spring Data Commons Property Path Resolution

Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through...

CVE-2026-41695

Spring Data Commons contains a Denial of Service risk (CVE-2026-41695) caused by resource exhaustion during property path resolution in MappingContext. Affected versions are Spring Data Commons 4.0.0–4.0.5; 3.5.0–3.5.11; 3.4.0–3.4.14. The provided documents describe the issue and affected release...

Malicious code in sb-original (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83 [email protected] is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same...

MAL-2026-5490 Malicious code in sb-original (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0e07a765f6ef2042da47b1c017ecc5f6f1f99167da76e04c4b2c4ea6ecfcb83 [email protected] is an unscoped package whose version is set to 9999.99.99 to win semver resolution against any internal package of the same...

EUVD-2026-35869

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a...

Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions,...

CVE-2026-9751 Sensitive data could be written to mongod.log

The ldapQueryPassword parameter, when set through the runtime setParameter command, will log the new password to the mongod.log file in plain text...

MAL-2026-5489 Malicious code in bittensor-emission-tracker (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca5db94f9840938f43eca692c1176b72bbd94a2f86a694c3293853f39b886a2f The package advertises Bittensor subnet burn-rate monitoring but ships a Cython-compiled darwin.so core.cpython-310-darwin.so containing an...

[SECURITY] [DSA 6334-1] poppler security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6334-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso June 09, 2026 https://www.debian.org/security/faq -...

CVE-2026-49755

Improper Handling of Highly Compressed Data Data Amplification vulnerability in wojtekmach Req allows attacker-controlled HTTP servers to exhaust memory in a Req client via decompression-bomb response bodies. Req's default response pipeline includes Req.Steps.decodebody/1 and...

CVE-2026-46443

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, when credentials are fetched with a credentialName filter parameter, the encryptedData field is not stripped from the response. The code properly omits encryptedData when no filter is...

Malicious code in mcp-server-git (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4cf54d60f4aeb261f3b4c523293183b728b02bc20255aeab62d7f86c94adc7ed package.json declares postinstall: node index.js. On every npm install, index.js lines 14-29 reads os.hostname, process.cwd, os.platform, the npm...

MAL-2026-5476 Malicious code in mcp-server-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 34dfb6dc382073bace8a4d413b28000ff42770d04b9f69a88906230e2d83260a Package squats the unscoped name mcp-server-fetch an MCP server name commonly invoked via npx mcp-server-fetch by AI coding agents and developer...

Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b86cc4cf49b5d6cda37126f6a0c7c9f9fec648eb4d4743b6f39423613d3122 Package squats the unscoped name mcp-server-postgres impersonating the official scoped MCP postgres server. package.json declares "postinstall": "nod...

MAL-2026-5481 Malicious code in mcp-server-postgres (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0b86cc4cf49b5d6cda37126f6a0c7c9f9fec648eb4d4743b6f39423613d3122 Package squats the unscoped name mcp-server-postgres impersonating the official scoped MCP postgres server. package.json declares "postinstall": "nod...

MAL-2026-5482 Malicious code in mcp-server-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c94a122c1dd231888bc72b52cbef5dbdd793d2680f7e7e36385bd06e07dc20fd Package claims the unscoped name mcp-server-redis to intercept npx mcp-server-redis invocations intended for the legitimate MCP Redis server ecosyste...