CVE-2026-46243

In the Linux kernel, the following vulnerability has been resolved: smb: client: reject userspace cifs.spnego descriptions cifs.spnego key descriptions contain authority-bearing fields such as pid, uid, creduid, and upcalltarget that cifs.upcall treats as kernel-originating inputs. However,...

CVE-2026-46243

The CVE-2026-46243 entry concerns the Linux kernel CIFS client. It fixes a bug where cifs.spnego key descriptions could be created by userspace (via request_key(2) or add_key(2)) and include fields (pid, uid, creduid, upcall_target) that are treated as kernel-origin inputs. The fix restricts acce...

CVE-2026-9194

REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

EUVD-2026-33304

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes whe...

CVE-2026-47694 WWBN AVideo: Stored XSS via unescaped Gallery category description

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes whe...

CVE-2026-47694

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders categorydescription as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes whe...

PT-2026-44848

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category description as raw HTML in the Gallery view. A user who can create or edit categories can store JavaScript in a category description, which executes wh...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to version 29 contain security vulnerabilities. These vulnerabilities stem from storing user-input category descriptions as raw HTML during Gallery view rendering. This allows...

The Surface You Test Is Not the Surface That Breaks

Tool-augmented LLM agents are vulnerable to prompt injection: a third party who controls part of the agent's context can plant instructions that the agent then executes as if they came from the user. Current evaluations report a single attack success rate per model on one channel, the tool output...

ALPINE-CVE-2026-4480

A flaw was found in the Samba printing subsystem. Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. A remote attacker could exploit this vulnerability by...

Samba 操作系统命令注入漏洞

Samba is an open-source suite of standard Windows interoperability programs for Linux and Unix systems. Samba has a vulnerability related to operating system command injection, which arises from the lack of escaping shell metacharacters when passing client-controlled job description strings to...

EUVD-2026-31358

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security te...

CVE-2026-8240

Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security te...

EUVD-2026-31210

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

CVE-2026-8342

REJECT DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage...

PT-2026-41347

Podcast Generator 3.1 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long description parameter. Attackers can inject script tags through episode creation or editing requests ...

ethyca-fides has a DOM-based XSS vulnerability in fides.js via fides_description override

Summary fides.js is the script that renders Fides's consent banner on customer websites. It lets the embedding page override the banner's description text at runtime via a URL query parameter, a JavaScript global, or a cookie. On sites that have opted into HTML-formatted descriptions, the...

Cross-site Scripting (XSS)

Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the fides.js script's override mechanism for the banner description field when HTML-formatted descriptions are enabled. An attacker can...

CVE-2026-42159 Flowsint: Stored XSS in description of node

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised...

EUVD-2026-30308

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised...