org.apache.dolphinscheduler:dolphinscheduler-alert-server (>=3.2.1 <=3.3.0-alpha), org.apache.dolphinscheduler:dolphinscheduler-extract-alert (>=3.2.1 <=3.3.0-alpha) +13 more potentially affected by CVE-2025-62233 via org.apache.dolphinscheduler:dolphinscheduler-extract-base (>=3.2.1 <=3.3.0-alpha)

org.apache.dolphinscheduler:dolphinscheduler-extract-base MAVEN version =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.2.1, =3.3.0-alpha - o...

MAL-2026-3002 Malicious code in lyrox (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a758a1be229d0656a639cd9e76cb14b3224260a08da87b6de28ff2bc4c1d48ba Heavy obfuscate code for extracting further obfuscate binaries and executing them using file less techniques. Some versions contain the executable embedded,...

GHSA-J5W5-568X-RQ53 Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

GHSA-PQF5-4PQQ-29F5 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Deriver::derive and PkeyCtxRef::derive sets len = buf.len and passes it as the in/out length to EVPPKEYderive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming keylen, unconditionally writing the full shared secret 32/56/prime-size bytes. A...

rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1

Deriver::derive and PkeyCtxRef::derive sets len = buf.len and passes it as the in/out length to EVPPKEYderive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming keylen, unconditionally writing the full shared secret 32/56/prime-size bytes. A...

SUSE CVE-2026-39377

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The...

CVE-2026-40344 MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler PutObjectExtractHandler allows any user who knows a valid access key to write...

CVE-2026-40344 MinIO has an Unauthenticated Object Write via Missing Signature Verification in Unsigned-Trailer Uploads

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler PutObjectExtractHandler allows any user who knows a valid access key to write...

CVE-2026-40344

MinIO is affected by an authentication bypass in the Snowball auto-extract handler (PutObjectExtractHandler) prior to RELEASE.2026-04-11T03:20:12Z. An attacker with a valid access key (including the default minioadmin or any key with WRITE on a bucket) can write arbitrary objects to any bucket wi...

CVE-2026-40344

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's Snowball auto-extract handler PutObjectExtractHandler allows any user who knows a valid access key to write...

PT-2026-34619

rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.27 to before 0.10.78, Deriver::derive and PkeyCtxRef::derive sets len = buf.len and passes it as the in/out length to EVP PKEY derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and...

GHSA-4C99-QJ7H-P3VG nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames

Arbitrary File Write via Path Traversal in Cell Attachment Filenames Summary nbconvert allows arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment...

nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames

Arbitrary File Write via Path Traversal in Cell Attachment Filenames Summary nbconvert allows arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment...

Uncontrolled Recursion

Overview Affected versions of this package are vulnerable to Uncontrolled Recursion via the ExtractPluginFromImage function. An attacker can cause disk exhaustion by supplying a crafted container image containing a decompression bomb, which decompresses to an arbitrarily large file during plugin...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the ExtractAttachmentsPreprocessor function. An attacker can write arbitrary files to locations outside the intended output directory by crafting cell attachment filenames containing path traversal sequences...

nbconvert 路径遍历漏洞

nbconvert is a format conversion library from the Jupyter organization. It converts Jupyter .ipynb notebook files into other static formats, including HTML, LaTeX, PDF, Markdown, etc. Version 6.5 to 7.17.0 of nbconvert has a path traversal vulnerability. This vulnerability stems from the improper...

CVE-2026-6616 TransformerOptimus SuperAGI WebScraperTool webpage_extractor.py extract_with_lxml server-side request forgery

A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extractwithbs4/extractwith3k/extractwithlxml of the file superagi/helper/webpageextractor.py of the component WebScraperTool. Such manipulation leads to server-side request forgery. I...

CVE-2026-6616

TransformerOptimus SuperAGI up to version 0.0.14 contains a server-side request forgery in the WebScraperTool’s webpage_extractor.py, affecting functions extract_with_bs4, extract_with_3k, and extract_with_lxml. The issue arises in superagi/helper/webpage_extractor.py and is exploitable remotely;...

SuperAGI 安全漏洞

SuperAGI is an open-source infrastructure application developed by SuperAGI. It is used to build components, tools, frameworks, and models to achieve open-source AGI. Versions of SuperAGI prior to 0.0.14 contain security vulnerabilities. These vulnerabilities stem from improper handling of the...

PT-2026-33729

A security vulnerability has been detected in TransformerOptimus SuperAGI up to 0.0.14. This affects the function extract with bs4/extract with 3k/extract with lxml of the file superagi/helper/webpage extractor.py of the component WebScraperTool. Such manipulation leads to server-side request...