Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj

Impact Prototype pollution is possible when property paths contain proto/constructor/prototype. The property path must not be exposed as user input...

PT-2026-41216

Name of the Vulnerable Software and Affected Versions deepobj versions prior to 1.0.3 Description Prototype pollution occurs when property paths contain proto , constructor, or prototype. This issue arises when property paths are exposed as user input, allowing an attacker to modify the prototype...

EUVD-2026-21064

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the executecommand function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell...

CVE-2026-35093

Vulnerability overview: CVE-2026-35093 affects libinput. A local attacker can place a crafted Lua bytecode file in certain system or user configuration directories, bypassing security restrictions and executing unauthorized code with the same permissions as the affected program (e.g., a graphical...

AZL-75564 CVE-2025-11065 affecting package rook 1.6.2-27

A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in...

CVE-2025-66452

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

CVE-2025-66452

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

EUVD-2025-202928

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

Arbitrary Code Injection

Overview neuron-core/neuron-ai is a The PHP Agentic Framework. Affected versions of this package are vulnerable to Arbitrary Code Injection via the validation based on the first keyword e.g., SELECT and a forbidden-keyword list does not block file-writing constructs such in the MySQLSelectTool. A...

EUVD-2020-0593

Malware in sbrugna...

PT-2025-23663 · Hibernate +3 · Hibernate Validator +3

CVE-2025-35036 Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expres… https://t.co/002YgA2hEa...

CVE-2025-0055

SAP GUI for Windows stores user input on the client PC to improve usability. Under very specific circumstances an attacker with administrative privileges or access to the victim�s user directory on the Operating System level would be able to read this data. Depending on the user input provided in...

CVE-2024-12380

GitLab EE/CE vulnerable in affected releases (11.5–17.7.7; 17.8–17.8.5; 17.9–17.9.2) due to certain user inputs in repository mirroring settings that could expose sensitive authentication information. Impact: potential disclosure of credentials with network access; no user interaction required. E...

AZL-43329 CVE-2024-6345 affecting package python-setuptools for versions less than 69.0.3-4

A vulnerability in the packageindex module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code...

[SECURITY] [DSA 467-1] New ecartis packages fix several vulnerabilities

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 467-1 [email protected] http://www.debian.org/security/ Matt Zimmerman March 23rd, 2004 http://www.debian.org/security/faq -...

Дырка в Nokia 7110 Wap Browser

Браузер хранит ввод пользователя в переменных, к которым могут обратиться скрипты с других сайтов...