CVE-2026-24052

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org,...

Google Chrome Information Disclosure Vulnerability (CNVD-2026-10645)

Google Chrome is a web browser from Google, an American company. Google Chrome suffers from an information disclosure vulnerability, which is caused due to improper implementation in the backend fetch AP. An attacker can exploit the vulnerability to disclose cross-origin data...

CVE-2026-25540

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via Rails.cache. When AUTHORIZEDFETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that...

CVE-2026-25540

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via Rails.cache. When AUTHORIZEDFETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that...

CVE-2026-25540 Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`)

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via Rails.cache. When AUTHORIZEDFETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that...

CVE-2026-25540

Mastodon prior to versions 4.3.19, 4.4.13, and 4.5.6 is vulnerable to web cache poisoning in Rails.cache when AUTHORIZED_FETCH is enabled. The ActivityPub endpoints for pinned posts and featured hashtags cache responses that depend on the signer’s account, but the internal cache reuse does not re...

EUVD-2026-5329

Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via Rails.cache. When AUTHORIZEDFETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that...

Directory Traversal

Overview @google/clasp is a Develop Apps Script Projects locally Affected versions of this package are vulnerable to Directory Traversal in the fetchRemote function in files.ts. An attacker can overwrite files outside the intended project directory via pull and clone commands. Details A Directory...

PT-2026-6071

Name of the Vulnerable Software and Affected Versions ZenTao versions through 21.7.6-85642 Description A server-side request forgery condition exists in ZenTao. The issue is located in the fetchHook function within the module/webhook/model.php file of the Webhook Module component. This manipulati...

openSUSE 16 Security Update : chromium (openSUSE-SU-2026:20156-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20156-1 advisory. - Chromium 144.0.7559.109 boo1257404 CVE-2026-1504: Inappropriate implementation in Background Fetch API Tenable has extracted the preceding description...

PT-2026-6319

Name of the Vulnerable Software and Affected Versions Mastodon versions prior to 4.3.19 Mastodon versions prior to 4.4.13 Mastodon versions prior to 4.5.6 Description Mastodon, a free, open-source social network server based on ActivityPub, contains a flaw related to web cache poisoning. When the...

CVE-2026-24052 Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains

Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith function to validate trusted domains e.g., docs.python.org,...

Open Redirect

Overview @anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you. Affected versions of this package are vulnerable to Open Redirect due to insufficie...

Claude Code 输入验证错误漏洞

Claude Code is an open-source proxy encoding tool developed by Anthropic. Versions of Claude Code prior to 1.0.111 contained a vulnerability related to input validation errors. This vulnerability stemmed from the insufficient URL validation in the trusted domain verification mechanism of WebFetch...

PT-2026-6186

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 1.0.111 Description Claude Code, an agentic coding tool, had a flaw in how it checked the trustworthiness of web addresses when making WebFetch requests. The application used a startsWith function to confirm trust...

OPENSUSE-SU-2026:20156-1 Security update for chromium

This update for chromium fixes the following issues: - Chromium 144.0.7559.109 boo1257404 CVE-2026-1504: Inappropriate implementation in Background Fetch API...

Malicious code in tableapy (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7adeff5bc226723e8e3241a36596e3e99094553770deda5e89ac8caf7c0e0f01 Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in...

Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

GHSA-J7X9-7J54-2V3H Hugging Face Text Generation Inference vulnerable to Uncontrolled Resource Consumption

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

CVE-2026-0599

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...