PT-2026-28085

Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.5.0 Description n8n is a workflow automation platform. When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker...

PT-2026-28109

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

GitLab 17.7 < 18.8.7 / 18.9 < 18.9.3 / 18.10 < 18.10.1 (CVE-2026-2973)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1 that could have allowed an authenticated user to execute...

Oracle Linux 9 : nginx (ELSA-2026-5599)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-5599 advisory. - Resolves: RHEL-146525 - nginx: NGINX: Data injection via man-in-the-middle attack on TLS proxied connections CVE-2026-1642 - Resolves: RHEL-84477 - nginx:...

Nanoleaf Lines unauthenticated firmware file store

RISK EVALUATION Nanoleaf Lines 12.3.2 does not authenticate firmware file uploads. A remote, unauthenticated attacker can upload firmware files on the device and consume storage resources. 2. RECOMMENDED PRACTICES Update to 12.3.6. 3. DESCRIPTION Nanoleaf Lines 12.3.2 does not authenticate...

CVE-2026-33554

creationtimestamp| type| source ---|---|--- 2026-03-24 22:53:30+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhto4lf4kc2c 2026-05-09 09:25:09+00:00| seen| https://bsky.app/profile/linux.activitypub.awakari.com.ap.brid.gy/post/3mlfwdyyhaa22...

ALPINE-CVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

CVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

CVE-2026-33412 Vim affected by Command injection via newline in glob()

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

CVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob function on Unix-like systems. By including a newline character \n in a pattern passed to glob, an attacker may be able to execute arbitrary shell commands. This...

PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

Summary PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy...

GHSA-MRQC-3276-74F8 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

Summary PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy...

CVE-2026-33345

solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/org/projects/project allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index...

UBUNTU-CVE-2026-23919

For performance reasons Zabbix Server/Proxy reuses JavaScript Duktape contexts used in script items, JavaScript reprocessing, Webhooks. This can lead to confidentiality loss where a regular non-super Zabbix administrator leaks data for hosts they do not have access to. A fix has been released tha...

Updated vim packages fix security vulnerabilities

Command injection via newline in glob affects Vim 9.2.0202. CVE-2026-33412...

MGASA-2026-0062 Updated vim packages fix security vulnerabilities

Command injection via newline in glob affects Vim 9.2.0202. CVE-2026-33412...

5 Learnings from the First-Ever Gartner Market Guide for Guardian Agents

On February 25, 2026, Gartner published its inaugural Market Guide for Guardian Agents, marking an important milestone for this emerging category. For those unfamiliar with the various Gartner report types, “a Market Guide defines a market and explains what clients can expect it to do in the shor...

CVE-2026-0848

A code injection flaw was found in nltk. The StanfordSegmenter module in NLTK Natural Language Toolkit is vulnerable to arbitrary code execution due to improper input validation. An attacker can exploit this by supplying or replacing Java Archive JAR files, which are dynamically loaded without...

Command Injection

Overview intake is a Data catalog, search and load Affected versions of this package are vulnerable to Command Injection via the catalog parsing when the shell syntax is used within parameter default values. An attacker can execute arbitrary commands on the host system by crafting a malicious...

CVE-2026-28753

NGINX Plus and NGINX Open Source have a vulnerability in the ngxmailsmtpmodule module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation...