CVE-2026-43888

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's...

CVE-2026-43888 Outline: Zip Extraction Path Escape via PATH_MAX Truncation in Collection Import

Outline is a service that allows for collaborative documentation. Prior to 1.7.0, ZipHelper.extract computes the extraction path for each entry by passing a full filesystem path through trimFileAndExt, a filename helper that calls path.basename on its input when truncating. When a zip entry's...

CVE-2026-28995

A logic issue was addressed with improved restrictions. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, watchOS 26.5. A malicious app may be able to break out of its sandbox...

CVE-2026-28995

CVE-2026-28995 describes a logic issue that could allow a malicious app to break out of its sandbox. It affects Apple platforms including iOS/iPadOS versions 18.7.9 and 26.5, macOS Tahoe 26.5, tvOS 26.5, visionOS 26.5, and watchOS 26.5. Apple states the fix is in these versions; no public exploit...

CVE-2026-28923

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A malicious app may be able to break out of its sandbox...

CVE-2026-28923

A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A malicious app may be able to break out of its sandbox...

CVE-2026-28978

CVE-2026-28978 is a macOS sandbox-permissions issue addressed by Apple in security content updates. The vulnerability allows a malicious app to break out of its sandbox, with fixed versions listed as macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. Public documents (NVD, RH, EUVD,...

CVE-2026-28978

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A malicious app may be able to break out of its sandbox...

CVE-2026-28978

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. A malicious app may be able to break out of its sandbox...

CVE-2026-7321

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component...

GHSA-FJ2M-QVH9-JQ4Q local-deep-research is Vulnerable to HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)

Summary PDFService.markdowntohtml constructs an HTML document by interpolating user-controlled values — specifically title sourced from research.title or research.query and metadata key-value pairs — directly into an f-string without any HTML escaping. An authenticated attacker can craft a resear...

Arbitrary Code Injection

Overview @nyariv/sandboxjs is a Javascript sandboxing library. Affected versions of this package are vulnerable to Arbitrary Code Injection via createFunction in executorUtils.ts. An attacker can escape the sandbox and execute arbitrary code in the host environment by leveraging access to interna...

GHSA-G8F2-4F4F-5JQW SandboxJS has a sandbox escape via Function.caller leakage of internal call op

Summary Sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function...

SandboxJS has a sandbox escape via Function.caller leakage of internal call op

Summary Sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function...

USN-8267-1: Linux kernel vulnerabilities

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information kernel memory, local...

USN-8267-1 linux-azure, linux-azure-fips, linux-oracle vulnerabilities

Qualys discovered that several vulnerabilities existed in the AppArmor Linux kernel Security Module LSM. An unprivileged local attacker could use these issues to load, replace, and remove arbitrary AppArmor profiles causing denial of service, exposure of sensitive information kernel memory, local...

EUVD-2026-29078

Angular Expressions - Remote Code Execution using filters...

Eval Injection

Overview angular-expressions is an Angular expression as standalone module. Affected versions of this package are vulnerable to Eval Injection when using filters. An attacker can execute arbitrary code on the system by crafting a malicious expression that escapes the intended sandbox. Remediation...

Angular Expressions - Remote Code Execution using filters

Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable code: const expressions = require"angular-expressions"; const result = expressions.compile"a | proto", ; This should throw the error : Filter 'proto' is not...

CVE-2026-44643

Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox to execute arbitrary code on the system. This vulnerability is fixed in 1.5.2...