PT-2026-45834

Name of the Vulnerable Software and Affected Versions React Router versions 7.0.0 through 7.14.1 Description When using Framework Mode, a combination of steps could allow unauthorized remote code execution RCE through external requests. This occurs because the vendored turbo-stream v2 can be abus...

CVE-2026-49139

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...

CVE-2026-49139 Nanobot < 0.2.1 SSRF via Microsoft Teams Channel serviceUrl Poisoning

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...

EUVD-2026-33759

Nanobot prior to version 0.2.1 contains a server-side request forgery vulnerability in the Microsoft Teams channel handler that allows remote attackers to exfiltrate Bot Framework bearer tokens by supplying a forged activity with an attacker-controlled serviceUrl value. Attackers can poison the...

CVE-2026-49139

Summary: Nanobot before 0.2.1 contains a server-side request forgery (SSRF) in the Microsoft Teams channel handler, enabling attackers to exfiltrate Bot Framework bearer tokens. By sending a forged inbound activity with an attacker-controlled serviceUrl, an adversary can poison the stored convers...

EUVD-2026-33729

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant...

CVE-2026-22872

CVE-2026-22872 affects Capsule, a Kubernetes multi-tenant framework. The Capsule Controller runs with cluster-admin privileges. The vulnerability lies in TenantResource RawItems processing: the code sets the namespace on deserialized objects, but this is ignored for cluster-scoped resources, allo...

CVE-2026-22872 Capsule TenantResource RawItems Cluster-Scoped Resource Creation Vulnerability

Capsule is a multi-tenancy and policy-based framework for Kubernetes. The Capsule Controller runs with cluster-admin privileges. Although the TenantResource RawItems processing logic forcibly sets the namespace, this is ineffective for cluster-scoped resources. Prior to version 0.13.0, tenant...

USN-8357-1: Qt Declarative vulnerability

It was discovered that Qt Declarative did not properly validate the width and height attributes of image tags in the Text component of Qt Quick. An attacker could possibly use this issue to cause Qt Declarative to use excessive resources, leading to a denial of service...

USN-8357-1 qtdeclarative-opensource-src vulnerability

It was discovered that Qt Declarative did not properly validate the width and height attributes of image tags in the Text component of Qt Quick. An attacker could possibly use this issue to cause Qt Declarative to use excessive resources, leading to a denial of service...

Cross-site Scripting (XSS)

Overview vitest is a Next generation testing framework powered by Vite Affected versions of this package are vulnerable to Cross-site Scripting XSS via the otelCarrier query parameter being directly inserted into an inline script without sanitization. An attacker can execute arbitrary JavaScript ...

CVE-2026-49361 Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability

Apache Fluss versions prior to 0.9.1 configure the Netty LengthFieldBasedFrameDecoder with Integer.MAXVALUE as the maximum frame length, allowing unauthenticated remote attackers to exhaust JVM heap memory on TabletServer and CoordinatorServer by sending specially crafted frame headers, resulting...

OctoberCMS - Account Takeover

octobercms in a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. id:...

[SECURITY] Fedora 43 Update: objfw-1.5.4-1.fc43

ObjFW is a portable, lightweight framework for the Objective-C language. It enables you to write an application in Objective-C that will run on any platform supported by ObjFW without having to worry about differences between operating systems or various frameworks you would otherwise need if you...

[SECURITY] Fedora 44 Update: mingw-objfw-1.5.4-1.fc44

ObjFW is a portable, lightweight framework for the Objective-C language. It enables you to write an application in Objective-C that will run on any platform supported by ObjFW without having to worry about differences between operating systems or various frameworks you would otherwise need if you...

[SECURITY] Fedora 44 Update: objfw-1.5.4-1.fc44

ObjFW is a portable, lightweight framework for the Objective-C language. It enables you to write an application in Objective-C that will run on any platform supported by ObjFW without having to worry about differences between operating systems or various frameworks you would otherwise need if you...

Sulu encryption issue vulnerabilities

Sulu is a scalable Symfony framework based on PHP, developed by the Austrian company Sulu. Versions prior to Sulu 2.6.23 and 3.0.6 contained a security vulnerability related to encryption. This vulnerability stemmed from the use of weak encryption hash algorithms for generating password reset...

SkillGuard: A Permission Framework for Agent Skills

Agent skills extend LLM agents with reusable instructions, scripts, tool bindings, and contextual dependencies. However, current skill ecosystems largely rely on trust-based loading and static inspection, leaving a gap between what a skill can inject into an agent's context and what it can cause...

Capsule Input Validation Vulnerability

Capsule is an open-source Kubernetes framework developed by Project Capsule. Versions of Capsule prior to 0.13.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from rules for intercepting sub-resources named namespace/finalize and namespace/status that we...

SeClaw: Spec-Driven Security Task Synthesis for Evaluating Autonomous Agents

Autonomous LLM agents increasingly operate in stateful environments where they access tools, files, memory, and external services. While such capabilities enable complex real-world workflows, they also introduce security risks that are difficult to capture with existing evaluations. Current agent...