CVE-2026-8209

Gibbon versions before v30.0.01 are affected by a path traversal vulnerability resulting in DOS by attempting extraction of web application PHP files, failed .zip extraction results in deletion of the file and a DOS condition. Successful exploitation requires Teacher or higher privileges...

Hono has CSS Declaration Injection via Style Object Values in JSX SSR

Summary The JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript executio...

Improper Encoding or Escaping of Output

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output the styleObjectForEach and jsxAttr style serialization paths in the JSX runtime. An attacker can inject arbitrary CSS declarations by supplying...

Improper Validation of Specified Quantity in Input

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input through the verify function in the JWT component. An attacker can supply a signed token with malformed nbf, exp, or iat claims, includin...

Use of Cache Containing Sensitive Information

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information through the cache process in the cache middleware. An attacker can cause responses to be cached or served incorrectly by sending requests tha...

Smart Contract Security beyond Detection

Smart contract security has progressed from vulnerability detection toward a broader research agenda that includes semantic reasoning, automated repair, adversarial robustness, and real-time exploit detection. This paper develops a capstone-oriented research narrative around four directions:...

PT-2026-39402

Name of the Vulnerable Software and Affected Versions Yii Framework versions prior to 2.0.55 Description Internal variables in the View::renderPhpFile and ErrorHandler::renderFile functions are not isolated, which can lead to parameter collisions that allow the overriding of included file paths...

PT-2026-39417

Name of the Vulnerable Software and Affected Versions Next.js versions 12.2.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description An external client can send an x-nextjs-data header on a request to a path handled by middleware that returns a redirect. This causes the middleware or...

phpVMS 8 访问控制错误漏洞

phpVMS 8 is an open-source aviation simulation and flight management application based on Laravel. Prior to version 7.0.6 of phpVMS, there was a access control vulnerability that stemmed from allowing unauthorized access to the legacy import feature...

PT-2026-39412

Name of the Vulnerable Software and Affected Versions Next.js versions 13.0.0 through 15.5.15 Next.js versions 16.0.0 through 16.2.4 Description Applications using beforeInteractive scripts combined with untrusted content are susceptible to cross-site scripting XSS, a flaw where malicious scripts...

AI Native Asset Intelligence

Modern security environments generate fragmented signals across cloud resources, identities, configurations, and third-party security tools. Although AI-native security assistants improve access to this data, they remain largely reactive: users must ask the right questions and interpret...

MT-JailBench: A Modular Benchmark for Understanding Multi-Turn Jailbreak Attacks

Multi-turn jailbreaks exploit the ability of large language models to accumulate and act on conversational context. Instead of stating a harmful request directly, an attacker can gradually steer the conversation toward an unsafe answer. Recent methods demonstrate this risk, but they are usually...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-tornado (UTSA-2026-017333)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017333 advisory. Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has...

CLSA-2026-1778266904 kernel: Fix of 188 CVEs

rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present - xfrm: esp: avoid in-place decrypt on shared skb frags - clk: Fix clkhwgetclk when dev is NULL CVE-2022-49187 - x86/sgx: Add overflow check in sgxvalidateoffsetlength CVE-2022-49785 - ext4: init quota for 'old.inode' in...

CVE-2026-42205

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

CVE-2026-42205

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

EUVD-2026-28836

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

CVE-2026-42205 Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

CVE-2026-42205 Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...

CVE-2026-42205

CVE-2026-42205 (Avo) affects the Avo framework for Ruby on Rails. The issue resides in the ActionsController’s insecure action lookup, which can ignore resource context and let an authenticated user execute any action class (descendants of Avo::BaseAction) on any resource. This creates privilege ...