CVE-2026-25624 Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting

An administrative cross-site scripting XSS vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall NGFW. Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processin...

CVE-2026-25624 Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting

An administrative cross-site scripting XSS vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall NGFW. Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processin...

EUVD-2026-34911

An administrative cross-site scripting XSS vulnerability exists in the web user interface dashboard layout of Arista Edge Threat Management - Arista Next Generation Firewall NGFW. Unvalidated user-supplied variables are echoed back to administrative profiles, facilitating vector payload processin...

CVE-2026-34185

Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control Syst...

CVE-2026-41496

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase,...

CVE-2026-35580

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could...

MGASA-2026-0175 Updated cockpit packages fix security vulnerabilities

CVE-2026-4631, Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects...

Arbitrary inputs are included in errors without any escaping in net/textproto

...

PT-2026-49249

Impact Malicious algorithms can potentially access other algorithms input and output files. Patches Todo Workarounds Verify and restrict the algorithm containers that are allowed to run on your node. See here on how to do this. References https://docs.vantage6.ai/usage/running-the-node/security F...

TP-Link Tapo C520WS 安全漏洞

The TP-Link Tapo C520WS is a WiFi camera produced by the TP-Link company. The TP-Link Tapo C520WS v2 has a security vulnerability, which stems from the improper handling of invalid syntax inputs by the RTSP server component, potentially leading to a denial-of-service attack...

PT-2026-47023

Name of the Vulnerable Software and Affected Versions Markdown Preview Enhanced versions prior to 0.8.28 Description On Windows, the software opens external files and links from the preview through a shell without validating untrusted inputs from the markdown document. This allows for the injecti...

DataDog::DogStatsd 安全漏洞

DataDog::DogStatsd is a Perl monitoring client library developed by DataDog Corporation that supports the DogStatsD protocol. Versions of DataDog::DogStatsd prior to 0.07 contained security vulnerabilities. These vulnerabilities stemmed from improper handling of inputs, the sendstats method not...

The Linux Foundation OpenDayLight 安全漏洞

The Linux Foundation OpenDayLight is an open-source network controller platform developed by The Linux Foundation in the United States. The Linux Foundation OpenDayLight v12.0.5 contains a security vulnerability, which stems from a issue with the Externalizable.readExternal component. This...

DEBIAN-CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

php: signed integer overflow in metaphone()

A flaw was found in PHP. The metaphone function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When an input string is longer than 2,147,483,647 bytes, a signed integer overflow can occur, leading to undefined behavior and an...

EUVD-2026-34296

Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the...

EUVD-2026-34288

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

CVE-2026-41178

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes Parse to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue...

CVE-2026-8037

CVE-2026-8037 affects Progress LoadMaster and related ADC components (ECS Connection Manager, Object Scale Connection Manager, MOVEit WAF). The vulnerability is an OS command injection in the API where unsanitized input in multiple command endpoints allows an unauthenticated attacker to execute a...