Updated tar packages fix security vulnerability

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

MGASA-2026-0168 Updated tar packages fix security vulnerability

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files...

Froxlor has an incomplete fix for CVE-2026-30932

Summary The LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping. Affected Package - Ecosystem: Other - Package: froxlor - Affected versions: a...

EUVD-2026-32721

Versions of the package json-2-csv from 3.15.0 and before 5.5.11 are vulnerable to CSV Injection via the preventCsvInjection option which can be bypassed. An attacker can inject formulas into CSV files, which execute when the files are opened in spreadsheet applications...

CVE-2026-44888

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile endpoint writes user-supplied numeric config values e.g., SMTPPORT directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec every 3–5 minutes...

CVE-2026-44887 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec, injected code executes as the...

CVE-2026-44888 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile endpoint writes user-supplied numeric config values e.g., SMTPPORT directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec every 3–5 minutes...

Exploit for Missing Authentication for Critical Function in Cpanel

CPANEL CVE EXPLOIT English | فارسی PersianREADME...

CVE-2026-5293

The CVE concerns the WordPress plugin Diagnosis Generator (診断ジェネレータ作成プラグイン) up to version 1.4.16. It enables Stored Cross-Site Scripting via the js parameter due to missing authorization checks and insufficient input sanitization in themeFunc(), which runs on admin_init and processes theme update...

Amazon Linux 2 : vim, --advisory ALAS2-2026-3292 (ALAS-2026-3292)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2026-3292 advisory. Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is...

GHSA-9MQQ-JQXF-GRVW PraisonAI MCP `tools/call` path-traversal => RCE via Python `.pth` injection

Summary PraisonAI's MCP Model Context Protocol server praisonai mcp serve registers four file-handling tools by default — praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments and joi...

EUVD-2026-28942

Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation via argument injection, which allows attackers to place their code into a plugins directry if the victim uses an attacker-supplied .i64 file...

CVE-2026-45181

Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation via argument injection, which allows attackers to place their code into a plugins directory if the victim uses an attacker-supplied .i64 file...

CVE-2026-34458 Sandboxie-Plus privilege escalation via INI CRLF injection bypassing EditAdminOnly

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions EditAdminOnly and ConfigPassword and inject arbitrary directives into the global...

CVE-2026-27760

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define string...

CVE-2026-41230

CVE-2026-41230 affects Froxlor prior to 2.3.6 through DomainZones::add(), where arbitrary DNS record types and newline-containing content are not sanitized. This allows an authenticated user to inject DNS records and BIND directives (e.g., $INCLUDE, $ORIGIN, $GENERATE) into zone files by submitti...

CVE-2026-41230 Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Froxlor is open source server administration software. Prior to version 2.3.6, DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g.,...

GHSA-47HF-23PW-3M8C Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Summary DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g., NAPTR, PTR, HINFO, content validation is entirely bypassed. Embedded...

EUVD-2026-20489

CI4MS Vulnerable to .env CRLF Injection via Unvalidated host Parameter in Install Controller...

GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...