CVE-2026-25879 Langroid has Prompt to SQL Injection, Leading to RCE

Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access...

Astra Linux - уязвимость в linux-5.10, linux

In the Linux kernel, the following vulnerability has been resolved: cifs: Fixed the error in the length of the VALIDATENEGOTIATEINFO message. A commit with the code d5c7076b772a was made: “smb3: Added “smb3.1.1” to the default dialect list.” The number of dialects was extended from 3 to 4. Howeve...

Astra Linux - уязвимость в linux-5.15

In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2negotiate In some cases of failure dialect mismatches in SMB2negotiate, after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to negex...

SQL Injection

Overview drizzle-orm is a Drizzle ORM package for SQL databases Affected versions of this package are vulnerable to SQL Injection through the escapeName handling in the PostgreSQL, SQLite, and SingleStore dialects. An attacker can inject arbitrary SQL by supplying a malicious identifier to...

Drizzle ORM has SQL injection via improperly escaped SQL identifiers

Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled...

CVE-2026-32763

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

PT-2026-26762

Name of the Vulnerable Software and Affected Versions Kysely versions prior to 0.28.14 Description Kysely's DefaultQueryCompiler.sanitizeStringLiteral function inadequately escapes backslashes when handling string literals. Specifically, it only doubles single quotes but does not address...

CVE-2026-32763 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Kysely is a type-safe TypeScript SQL query builder. Versions up to and including 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path...

GHSA-WMRF-HV6W-MR66 SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.

Summary Kysely through 0.28.11 has a SQL injection vulnerability in JSON path compilation for MySQL and SQLite dialects. The visitJSONPathLeg function appends user-controlled values from .key and .at directly into single-quoted JSON path string literals '$.key' without escaping single quotes. An...

quantguard (>=0.1.37 <=0.1.38), superset-sqlalchemy-gizmosql-adbc-dialect (>=0.0.3 <=0.0.9) potentially affected by CVE-2026-23983 via apache-superset (>=4.1.4 <=5.0.0)

apache-superset PYPI version =4.1.4, =0.1.37, =0.0.3, =0.0.9 Source cves: CVE-2026-23983 Source advisory: OSV:GHSA-H294-8FXM-M2PJ...

quantguard (>=0.1.37 <=0.1.38), superset-sqlalchemy-gizmosql-adbc-dialect (>=0.0.3 <=0.0.9) potentially affected by CVE-2026-23982 via apache-superset (>=4.1.4 <=5.0.0)

apache-superset PYPI version =4.1.4, =0.1.37, =0.0.3, =0.0.9 Source cves: CVE-2026-23982 Source advisory: OSV:GHSA-3M2G-V7JF-7FXC...

quantguard (>=0.1.37 <=0.1.38), superset-sqlalchemy-gizmosql-adbc-dialect (>=0.0.3 <=0.0.9) potentially affected by CVE-2026-23984 via apache-superset (>=4.1.4 <=5.0.0)

apache-superset PYPI version =4.1.4, =0.1.37, =0.0.3, =0.0.9 Source cves: CVE-2026-23984 Source advisory: OSV:GHSA-MWF2-QR4V-94H2...

quantguard (>=0.1.37 <=0.1.38), superset-sqlalchemy-gizmosql-adbc-dialect (>=0.0.3 <=0.0.9) potentially affected by CVE-2026-23980 via apache-superset (>=4.1.4 <=5.0.0)

apache-superset PYPI version =4.1.4, =0.1.37, =0.0.3, =0.0.9 Source cves: CVE-2026-23980 Source advisory: OSV:GHSA-GVXG-9HQX-F4RG...

CakePHP 5.3.2 Released

CakePHP 5.3.2 Released The CakePHP core team is happy to announce the immediate availability of CakePHP 5.3.2. This is a maintenance release for the 5.3 branch that fixes community reported issues, regressions and a security issue with PaginatorHelper. Bugfixes You can expect the following change...

CVE-2022-50859

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the error length of VALIDATENEGOTIATEINFO message Commit d5c7076b772a "smb3: add smb3.1.1 to default dialect list" extend the dialects from 3 to 4, but forget to decrease the extended length when specific the dialect,...

EUVD-2019-10984

Malware in sbrugna...

EUVD-2019-0721

Malware in sbrugna...

EUVD-2019-0687

Malware in sbrugna...

EUVD-2022-6798

Malicious code in bioql PyPI...

datashadric (>=0.2.1 <=0.2.2), superset-custom-visual (=0.1.0) +3 more potentially affected by CVE-2025-55674 via apache-superset (=6.0.0)

apache-superset PYPI version =6.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on apache-superset and may be impacted: - datashadric =0.2.1, =0.1.0, =0.1.13 - superset-sqlalchemy-gizmosql-adbc-dialect =0.0.10 Source cves: CVE-2025-55674 Source...