@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions

Summary @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection through the escapeNodeAttributeValues process. An attacker can execute arbitrary operating system commands by crafting a malicious .sy.zip file containing specially formatted block attribute values, which, when...

Important: ecs-service-connect-agent

Issue Overview: Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, the Envoy RBAC Role-Based Access Control filter contains a logic vulnerability in how it validates HTTP headers when multiple values are present for the same header name. Instead o...

PT-2026-35854

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.138 Description An out of bounds read and write issue exists in Angle, which could allow a remote attacker to potentially perform a sandbox escape by using a crafted HTML page. Recommendations Update ...

PT-2026-29466

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 146.0.7680.178 Description A use-after-free issue exists in the WebView component of Google Chrome on Android. A remote attacker who has compromised the renderer process could potentially perform a sandbox escap...

PT-2026-29499

Summary @tinacms/graphql uses string-based path containment checks in FilesystemBridge: - path.resolvepath.joinbaseDir, filepath - startsWithresolvedBase + path.sep That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the...

Payload 路径遍历漏洞

Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.78.0 contained a path traversal vulnerability. This vulnerability stemmed from the client-side upload signature URL endpoint not properly cleaning file names,...

PT-2026-29831

Summary SubprocessSandbox in all modes BASIC, STRICT, NETWORK ISOLATED calls subprocess.run with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode...

PT-2026-29668

Name of the Vulnerable Software and Affected Versions Copier versions prior to 9.14.1 Description Copier's subdirectory setting, intended to specify the template root, incorrectly allows parent directory traversal sequences like ... This allows a template to escape its directory and render files...

PT-2026-38107

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description A type confusion issue exists in the Accessibility component of Google Chrome on Windows. This flaw allows a remote attacker who has already compromised the renderer process to...

PT-2026-29522

Name of the Vulnerable Software and Affected Versions ByteDance Deer-Flow versions prior to commit 92c7a20 Description ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling. This allows attackers to execute arbitrary commands on the host...

PT-2026-38109

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description Insufficient data validation in InterestGroups allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. A sandb...

ALSA-2026:6342 Important: thunderbird security update

Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engine component CVE-2026-4701 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and...

RHEL 10 : thunderbird (RHSA-2026:6342)

The remote Redhat Enterprise Linux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:6342 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engin...

Linux Distros Unpatched Vulnerability : CVE-2026-5290

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in Compositing in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform...

Google Chrome < 146.0.7680.177 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 146.0.7680.177. It is, therefore, affected by multiple vulnerabilities as referenced in the 202603stable-channel-update-for-desktop31 advisory. - Use after free in Compositing in Google Chrome prior to 146.0.7680.178...

Linux Distros Unpatched Vulnerability : CVE-2026-5289

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in Navigation in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially perform ...

Linux Distros Unpatched Vulnerability : CVE-2026-5288

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Use after free in WebView in Google Chrome on Android prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to potentially...

Amazon Linux 2 : ecs-service-connect-agent, --advisory ALAS2ECS-2026-100 (ALASECS-2026-100)

The version of ecs-service-connect-agent installed on the remote host is prior to v1.34.13.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ECS-2026-100 advisory. Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and...