Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint

Summary A Mass Assignment vulnerability in the /api/v1/leads endpoint allows any unauthenticated user to control internal entity fields id, createdDate, chatId by including them in the request body. The endpoint uses Object.assign to copy all properties from the request body to the Lead entity...

Pakistan-Linked APT36 Floods Indian Govt Networks With AI-Made ‘Vibeware’

Bitdefender research reveals Pakistani group APT36 is using AI-generated vibeware and trusted cloud services like Google Sheets to target Indian officials...

CVE-2026-27641

Flask-Reuploaded provides file uploads for Flask. A critical path traversal and extension bypass vulnerability in versions prior to 1.5.0 allows remote attackers to achieve arbitrary file write and remote code execution through Server-Side Template Injection SSTI. Flask-Reuploaded has been patche...

EUVD-2026-8616

Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection...

A week in security (February 16 – February 22)

Last week on Malwarebytes Labs: Age verification vendor Persona left frontend exposed, researchers say Facebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets AI-generated passwords are a security risk Intimate products maker Tenga spilled customer data Meta patents ...

Can You Tell It'S AI? Human Perception of Synthetic Voices in Vishing Scenarios

Large Language Models and commercial speech synthesis systems now enable highly realistic AI-generated voice scams vishing, raising urgent concerns about deception at scale. Yet it remains unclear whether individuals can reliably distinguish AI-generated speech from human-recorded voices in...

AI-generated passwords are a security risk

Using Artificial Intelligence AI to generate your passwords is a bad idea. It's likely to give that password to a criminal who can then use it in a dictionary attack—which is when an attacker runs through a prepared list of likely passwords words, phrases, patterns with automated tools until one ...

Code Injection

org.apache.avro, avro-compiler is vulnerable to Code Injection. The vulnerability is due to improper validation of untrusted Avro schemas during specific record generation, where attacker-controlled schema content can be incorporated into generated Java source code without sufficient sanitization...

Discovering Universal Activation Directions for PII Leakage in Language Models

Modern language models exhibit rich internal structure, yet little is known about how privacy-sensitive behaviors, such as personally identifiable information PII leakage, are represented and modulated within their hidden states. We present UniLeak, a mechanistic-interpretability framework that...

AI-Generated Text and the Detection Arms Race

In 2023, the science fiction literary magazine Clarkesworld stopped accepting new submissions because so many were generated by artificial intelligence. Near as the editors could tell, many submitters pasted the magazine’s detailed story guidelines into an AI and sent in the results. And they...

SAP NetWeaver Application Server Java 注入漏洞

SAP NetWeaver Application Server Java is an application server provided by the German company SAP, which offers a Java runtime environment. This product is primarily used for developing and running Java EE applications. SAP NetWeaver Application Server Java has a injection vulnerability, which...

Arbitrary Code Execution

Orval is vulnerable to Arbitrary Code Execution. The vulnerability is due to incomplete sanitization of untrusted input during code generation, where insufficient escaping in jsStringEscape allows attackers to inject executable JavaScript using only non-alphanumeric characters via JSFuck...

CVE-2026-24132

Orval generates type-safe JS clients TypeScript from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema...

Arbitrary Code Execution

binary-parser is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsanitized interpolation of untrusted values into dynamically generated code, where attacker-controlled parser field names or encoding parameters are embedded directly into generated JavaScript, allowing arbitra...

Arbitrary Code Execution

Orval is vulnerable to Arbitrary Code Execution. The vulnerability is due to unsanitized embedding of untrusted OpenAPI fields, where attacker-controlled values in the x-enumDescriptions field are injected without proper escaping during enum generation, resulting in executable JavaScript/TypeScri...

MiracleLinux 8 : sqlite-3.26.0-11.el8 (AXSA:2020-1005:03)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-1005:03 advisory. sqlite: Use-after-free in window function leading to remote code execution CVE-2019-5018 sqlite: Division by zero in whereLoopAddBtreeIndex in...

CVE-2019-20061

The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5.4 may leak the system-picked password if this email is sent in cleartext. In other words, the user is not allowed to choose their own initial password...

CVE-2026-22190

The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability. The -gp glyph pattern command-line option is used directly as the format string for sprintf with only a single argument supplied. If an attacker provides additional format...

CVE-2026-22190

Summary of CVE-2026-22190 (Panda3D) Affected: Panda3D up to and including 1.10.16, specifically the egg-mkfont utility. Vulnerability: Uncontrolled format string in the -gp (glyph pattern) option. The option is passed directly as the format string to sprintf() with only one argument. If an attack...

AI Code in the Wild: Measuring Security Risks and Ecosystem Shifts of AI-Generated Code in Modern Software

Large language models LLMs for code generation are becoming integral to modern software development, but their real-world prevalence and security impact remain poorly understood. We present the first large-scale empirical study of AI-generated code AIGCode in the wild. We build a high-precision...