Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007468)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007468 advisory. In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM...

CVE-2026-33881 Windmill: Rogue Workspace Admins can inject code via unescaped workspace environment variable interpolation in NativeTS executor

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Workspace environment variable values are interpolated into JavaScript string literals without escaping single quotes in the NativeTS executor. A workspace admin who sets a custom environmen...

CVE-2026-29081

CVE-2026-29081 affects the Frappe framework. Before versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection via specially crafted requests stemming from improper fieldname sanitization, allowing an attacker to extract sensitive information. The issue has been patched in versio...

RockyLinux 8 : kernel-rt (RLSA-2025:17812)

The remote RockyLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2025:17812 advisory. kernel: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 CVE-2022-50228 kernel: Bluetooth: L2CAP: Fix use-after-free CVE-2023-53305...

EUVD-2004-1513

Malware in sbrugna...

Lichess: ImageId Format Injection in Image Upload Endpoint

The image upload endpoint in the Lichess application did not properly validate the 'rel' parameter, allowing an attacker to inject special characters that broke the expected format of the generated ImageId. This could have led to parsing issues in other parts of the application that relied on the...

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

A now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect. The vulnerability in question is CVE-2023-48788 CVSS score: 9.3, an SQL injection bu...

curl: netrc crlf injection

Summary: Curl allows CR and LF characters to be encoded in login and password netrc fields. This allows an attacker who can affect contents of the netrc entry to inject FTP commands by injecting CRLF to the login or password. POP3 is likely affected as well, but hasn't been tested. The only...

A week in security (July 25 – July 31)

Last week on Malwarebytes Labs: Update Google Chrome now! New version includes 11 important security patches Lightning Framework, modular Linux malware Malware spent months hoovering up credit card details from 300 US restaurants Lock down your Neopets account: Data breach being investigated Demo...

A week in security (July 25 - July 31)

Last week on Malwarebytes Labs: Update Google Chrome now! New version includes 11 important security patches Lightning Framework, modular Linux malware Malware spent months hoovering up credit card details from 300 US restaurants Lock down your Neopets account: Data breach being investigated Demo...

GHSA-P2G9-94WH-65C2 Space bug in `clean_text`

An incorrect mapping from HTML specification to ASCII codes was used. Because HTML treats the Form Feed as whitespace, code like this has an injection bug: let html = format!"", cleantextusersuppliedstring; Applications are not affected if they quote their attributes, or if they don't use cleante...

GitHub Security Lab: [Python] CWE-400: Regular Expression Injection

This bug was reported directly to GitHub Security Lab...

CVE-2021-32052

In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 with Python 3.9.5+, URLValidator does not prohibit newlines and tabs unless the URLField form field is used. If an application uses values with newlines in an HTTP response, header injection can occur. Django itself is unaffecte...

SUSE: Security Advisory (SUSE-SU-2020:1301-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openSUSE: Security Advisory for mailman (openSUSE-SU-2020:0661-1)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2017-5391

Special "about:" pages used by web content, such as RSS feeds, can load privileged "about:" pages in an iframe. If a content-injection bug were found in one of those pages this could allow for potential privilege escalation. This vulnerability affects Firefox 51...

SUSE-SU-2017:1067-1 Security update for ruby2.1

This ruby2.1 update to version 2.1.9 fixes the following issues: Security issues fixed: - CVE-2016-2339: heap overflow vulnerability in the Fiddle::Function.new'initialize' bsc1018808 - CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL bsc959495 - CVE-2015-3900: hostname validation does...

Sonicwall 8.1.0.2-14sv - 'viewcert.cgi' Remote Command Injection (Metasploit)

Exploit Title: Sonicwall viewcert.cgi CGI Remote Command Injection Vulnerablity Date: 12/24/2016 Exploit Author: xort @ Critical Start Vendor Homepage: www.sonicwall.com Software Link: sonicwall.com/products/sra-virtual-appliance Version: 8.1.0.2-14sv Tested on: 8.1.0.2-14sv CVE : awaiting cve...

Fedora 23 : php-php-gettext (2016-a571b97ebb)

php-gettext 1.0.12 ================== - Security fix for potential code injection bug LP1515334 - Do not assume mbstring functions are always there, pass text through if they aren't LP734494 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora...

UCLA University SQL Injection

UCLA University Sql injection Bug! Author:H3X,W!Z4RD Sepehr Security Team Vulnerable Page: http://dma.ucla.edu/faculty/profiles/?ID=-83 DEMO: http://dma.ucla.edu/faculty/profiles/?ID=-83+union+select+1,2,version %28%29,4,5,6,7,8,9,10,11,12,13,14,15,16-- greetz:thEKnight , Einestin and ALL Sepehr...