PT-2026-36637

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 Description An OutOfMemory OOM Denial of Service exists in the AbstractModelReader class. The methods getOutcomes, getOutcomePatterns, and getPredicates read a...

PT-2026-36635

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 Description The DictionaryEntryPersistor class initializes a static SAXParserFactory without enabling FEATURE SECURE PROCESSING or disabling DTD processing. When...

PT-2026-36636

Name of the Vulnerable Software and Affected Versions Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 Description The ExtensionLoader.instantiateExtensionClass, String function loads a class by its fully-qualified name using Class.forName and invokes its no-arg...

EUVD-2026-26072

A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation of the argument keyword causes sql...

JLSEC-2026-278

An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limi...

blueprintUE self-hosted edition 安全漏洞

The blueprintUE self-hosted edition is an open-source data modeling and visualization tool developed by blueprintUE. Versions prior to blueprintUE self-hosted edition 4.2.0 contained security vulnerabilities. These vulnerabilities stemmed from the login form processor not implementing any type of...

EUVD-2026-23666

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

PT-2026-33595

Name of the Vulnerable Software and Affected Versions Apache Airflow versions prior to 3.2.0 Description Secrets stored within variables as JSON dictionaries are not properly redacted. When a user retrieves these variables, secrets located in nested fields are not masked. Recommendations Upgrade ...

GHSA-F5V8-V6Q3-Q4H6 Meridian: Multiple defense-in-depth gaps (collection/depth caps, telemetry, retry, fan-out)

Summary Meridian v2.1.0 Meridian.Mapping and Meridian.Mediator shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps are silently bypassed on the IMapper.Mapsource, destination...

EUVD-2019-20143

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using...

GHSA-XXXG-X793-7FQ3 Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using...

EUVD-2026-21692

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

CVE-2026-1116 Cross-site Scripting (XSS) in parisneo/lollms

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

EUVD-2026-21063

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-string prompt-template validation was incomplete in two respects. First, some prompt template classes accepted f-string templates and formatted them without enforcing the same...

CVE-2026-34052 LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send...

CVE-2026-34052

LTI JupyterHub Authenticator is a JupyterHub authenticator for LTI. Prior to version 1.6.3, the LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send...

Infinite Loop

pypdf is vulnerable to an Infinite Loop. The vulnerability is due to reading a file in non‑strict mode during dictionary recovery, where the DictionaryObject.readfromstream method can enter an infinite loop and an attacker can craft a PDF to trigger it...

CVE-2026-33699 pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider...

CVE-2026-33699

CVE-2026-33699 affects the pypdf library (Python), with versions prior to 6.9.2 vulnerable to an infinite loop when reading a PDF in non-strict mode. The root cause is within DictionaryObject.read_from_stream processing, leading to potential hang. A fix is available in pypdf 6.9.2, and multiple O...

CVE-2026-33699 pypdf: Possible infinite loop during recovery attempts in DictionaryObject.read_from_stream

pypdf is a free and open-source pure-python PDF library. Versions prior to 6.9.2 have a vulnerability in which an attacker can craft a PDF which leads to an infinite loop. This requires reading a file in non-strict mode. This has been fixed in pypdf 6.9.2. If users cannot upgrade yet, consider...