CVE-2026-10850

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

EUVD-2026-37732

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-10850 Plane 1.3.1 - Stored XSS in intake issue description_html

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-10850

CVE-2026-10850 affects Plane CE 1.3.1. A low-privileged project member can submit arbitrary HTML/JS in the description_html field when creating an intake work item via the API v1 intake endpoint, enabling stored XSS. The description_html field is the vector; no exploit details or affected version...

PT-2026-50428

Name of the Vulnerable Software and Affected Versions Plane CE version 1.3.1 Description A low-privileged project member can submit arbitrary HTML and JavaScript via the description html field. This occurs when creating an intake work item through the 'API v1 intake' endpoint. Recommendations At...

python311-intake-2.0.9-1.1 on GA media (moderate)

python311-intake-2.0.9-1.1 on GA media Announcement ID: openSUSE-SU-2026:10426-1 Rating: moderate Cross-References: CVE-2026-33310 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

SUSE CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

OPENSUSE-SU-2026:10426-1 python311-intake-2.0.9-1.1 on GA media

These are all security issues fixed in the python311-intake-2.0.9-1.1 package on the GA media of openSUSE Tumbleweed...

Command Injection

Overview intake is a Data catalog, search and load Affected versions of this package are vulnerable to Command Injection via the catalog parsing when the shell syntax is used within parameter default values. An attacker can execute arbitrary commands on the host system by crafting a malicious...

ddsapi (>=0.6.0b5 <=0.7.1), gandharva (=0.0.1) +9 more potentially affected by CVE-2026-33310 via intake (>=2.0.0a2 <=2.0.8)

intake PYPI version =2.0.0a2, =0.6.0b5, =0.2.7, =0.2.4, =0.6.2, =0.0.1, =0.6.4, =0.18.0, =0.19.10 Source cves: CVE-2026-33310 Source advisory: SNYK:PYTHON-INTAKE-15763544...

CVE-2026-33310

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

CVE-2026-33310 Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

CVE-2026-33310 Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

CVE-2026-33310 Intake has a Command Injection via shell() Expansion in Parameter Defaults

Intake is a package for finding, investigating, loading and disseminating data. Prior to version 2.0.9, the shell syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell, the command ma...

Intake 代码注入漏洞

Intake is an open-source Python toolkit for data loading and processing. Versions of Intake prior to 2.0.9 had a code injection vulnerability. This vulnerability stemmed from the automatic expansion of shell syntax during directory parsing, which could lead to the execution of host system command...

access-intake-esm (>=2026.4.17 <=2026.4.19), access-nri-intake (>=0.0.2 <=1.6.2) +185 more potentially affected by CVE-2026-33310 via intake (>=0.4.4 <=2.0.9)

intake PYPI version =0.4.4, =2026.4.17, =0.0.2, =0.1.0, =1.0.0, =1.5.0, =0.21.0, =1.1.0, =2024.6.4.1, =0.13.0, =0.8.0, =0.1.0a1, =0.0.0, =1.0.0, =1.2.0 and more Source cves: CVE-2026-33310 Source advisory: OSV:GHSA-37G4-QQQV-7M99...

CVE-2026-27839 wger: IDOR in nutritional_values endpoints exposes private dietary data via direct ORM lookup

wger is a free, open-source workout and fitness manager. In versions up to and including 2.4, three nutritionalvalues action endpoints fetch objects via Model.objects.getpk=pk — a raw ORM call that bypasses the user-scoped queryset. Any authenticated user can read another user's private nutrition...

Friday Squid Blogging: Pilot Whales Eat a Lot of Squid

Short-finned pilot wales Globicephala macrorhynchus eat at lot of squid: To figure out a short-finned pilot whale's caloric intake, Gough says, the team had to combine data from a variety of sources, including movement data from short-lasting tags, daily feeding rates from satellite tags, body...

web.intake.education Cross Site Scripting vulnerability OBB-3199993

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...