CVE-2026-31018

In Dolibarr ERP & CRM <= 22.0.4, the Website module’s PHP code detection and editing permission enforcement is not consistently applied to all input parameters. This allows an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website ...

CVE-2026-31018

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

PT-2026-33981

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

CVE-2026-31018

In Dolibarr ERP & CRM = 22.0.4, PHP code detection and editing permission enforcement in the Website module is not applied consistently to all input parameters, allowing an authenticated user restricted to HTML/JavaScript editing to inject PHP code through unprotected inputs during website page...

CVE-2026-32604

CVE-2026-32604 affects Spinnaker before the patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability arises in clouddriver components when handling gitrepo artifacts, allowing a bad actor to execute arbitrary commands on the pod (RCE) by exploiting improper input handling on...

CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...

Server-side Request Forgery (SSRF)

Overview ragas is an Evaluation framework for RAG and LLM applications Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via improper validation of URLs in the retrievedcontexts parameter when processing multimodal inputs. An attacker can access arbitrary files,...

CVE-2026-35582

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...

CVE-2026-35582 Emissary has an OS Command Injection via Unvalidated IN_FILE_ENDING / OUT_FILE_ENDING in Executrix

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...

EUVD-2026-23628

Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand is vulnerable to OS command injection because it interpolates temporary file paths into a /bin/sh -c shell command string without any escaping or input validation. The INFILEENDING and...

Incomplete List of Disallowed Inputs

Overview flowise-ui is a Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the run method of the AirtableAgents class, which evaluates LLM-generated Python scripts in a non-sandboxed environment. An attacker can execute arbitrary code on the server by...

libgphoto2 安全漏洞

libgphoto2 is an open-source camera access and control library developed by gPhoto. Versions of libgphoto2 prior to 2.5.33 contained security vulnerabilities. These vulnerabilities stemmed from the ptpunpackEOSFocusInfoEx function, which had a buffer overflow vulnerability that could lead to a...

SQL Injection

Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...

PT-2026-37121

Name of the Vulnerable Software and Affected Versions praisonai versions prior to 4.6.9 praisonaiagents versions prior to 1.6.9 Description Multiple backends in the multi-agent teams system fail to validate input, leading to arbitrary SQL execution. Specifically, nine backends—MySQL, PostgreSQL,...

Floating Point Value Injection (FPVI) Variant in AMD CPUs

Summary Researchers shared with AMD a report titled “TREVEX: A Black-Box Detection Framework For Data-Flow Transient Execution Vulnerabilities.” The researchers' paper introduced a Floating-Point Value Injection FPVI variant, which could allow an attacker with a deep understanding of...

Code Injection

Handlebars is vulnerable to code injection. The vulnerability is due to improper sanitization of user-controlled inputs in the CLI precompiler, which allows an attacker to inject arbitrary JavaScript via crafted template filenames or CLI arguments and execute it when the generated code is run...

Prototype Pollution

Lodash is vulnerable to Prototype Pollution. The vulnerability is due to incomplete validation of path segments in .unset and .omit functions, which allows an attacker to bypass checks using array-wrapped inputs and delete properties from built-in prototypes...

CVE-2026-0390

Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally...

perl-XML-Parser security update

An update is available for perl-XML-Parser. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list This module provides ways to parse XML documents. It is built on top...

GHSA-GQW4-4W2P-838Q Composer has a command injection via malicious perforce reference

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...