Vite - Arbitrary File Read

Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or ?import&raw?? to the URL bypasses this limitation and returns the file content if it...

Command Injection

aws-cdk-lib is vulnerable to Command Injection. The vulnerability is due to improper sanitization of user-controlled bundling properties in the NodejsFunction local bundling pipeline, which allows an attacker to inject shell metacharacters and execute arbitrary commands on the host running the CD...

PT-2026-49906

Name of the Vulnerable Software and Affected Versions Oracle Fusion Middleware Oracle Application Development Framework ADF version 12.2.1.4.0 Oracle Fusion Middleware Oracle Application Development Framework ADF version 14.1.2.0.0 Description An issue exists in the ADF Faces component of the...

PT-2026-49903

Name of the Vulnerable Software and Affected Versions Oracle Application Development Framework ADF version 12.2.1.4.0 Oracle Application Development Framework ADF version 14.1.2.0.0 Description An issue exists in the ADF Shared Components of the Oracle Fusion Middleware. A high privileged attacke...

PT-2026-49904

Name of the Vulnerable Software and Affected Versions Oracle Application Development Framework ADF version 12.2.1.4.0 Oracle Application Development Framework ADF version 14.1.2.0.0 Description An issue exists in the Security Framework component of the Oracle Application Development Framework ADF...

PT-2026-49905

Vulnerability in the Oracle Application Development Framework ADF product of Oracle Fusion Middleware component: Java Business Objects. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the...

PT-2026-50023

Name of the Vulnerable Software and Affected Versions Oracle Process Manufacturing Product Development versions 12.2.3 through 12.2.15 Description An issue exists in the Quality Management Specs component of the Oracle Process Manufacturing Product Development product within Oracle E-Business...

PT-2026-50024

Name of the Vulnerable Software and Affected Versions Oracle Process Manufacturing Product Development versions 12.2.3 through 12.2.15 Description An issue exists in the Internal Operations component of the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite. A low...

Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

Summary When running nuxt dev, Nuxt registers an unauthenticated route at /.well-known/appspecific/com.chrome.devtools.json that returns the absolute filesystem path of the project root and a per-project UUID persisted to nodemodules/.cache/nuxt/chrome-workspace.json. The route is enabled by...

CVE-2026-30120

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution RCE vulnerability...

What Changed in OWASP Top 10 2025 and Recommendations for Each Category

Key Takeaways 1. The 2025 list introduces two new categories – Software Supply Chain Failures A03 and Mishandling of Exceptional Conditions A10 - reflecting attacks already happening in production. 2. Security Misconfiguration jumping from 5 to 2 signals that continuous deployment without...

CVE-2026-9595 webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies

Impact: When a user-configured proxy on webpack-dev-server has a broad context e.g. / and ws: true, it also intercepts the dev server's own HMR WebSocket and forwards it to the proxy target. This leaks the browser's cookies and Origin header to the backend, bypasses the dev server's Host/Origin...

[SECURITY] Fedora 44 Update: python-django5-5.2.15-1.fc44

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY Don't Repeat Yourself principle...

kernel-devel-7.0.12-1.1 on GA media (moderate)

kernel-devel-7.0.12-1.1 on GA media Announcement ID: openSUSE-SU-2026:11014-1 Rating: moderate Cross-References: CVE-2026-46244 CVE-2026-46273 CVE-2026-46274 CVE-2026-46275 CVE-2026-46276 CVE-2026-46277 CVE-2026-46278 CVE-2026-46279 CVE-2026-46280 CVE-2026-46281 CVE-2026-46282 CVE-2026-46283...

Exploit-Development-master

Exploit-Dev...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs24: nodejs24-24.16.0-1.hum1 aarch64, x8664 nodejs24-bin-24.16.0-1.hum1 noarch nodejs24-devel-24.16.0-1.hum1 aarch64, x8664 nodejs24-docs-24.16.0-1.hum1 noarch...

kiro-cybersecurity-skills

CyberSecurity Skills A collection of 15 security workflows co...

GHSA-G7R4-M6W7-QQQR esbuild allows arbitrary file read when running the development server on Windows

Summary The development server contains a path traversal vulnerability on Windows when serving files from servedir. Due to the use of path.Clean which only normalizes forward-slash / separators instead of a Windows-aware path normalization function, it is possible to craft requests using...

CVE-2026-50011

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken fro...

CVE-2026-50010

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, SimpleTrustManagerFactory.engineGetTrustManagers and related paths wrap any user-supplied plain X509TrustManager in X509TrustManagerWrapper, which extends...