268 matches found
CVE-2026-40602
The Home Assistant Command-line interface hass-cli is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no...
CVE-2026-40602 hass-cli: Handling of user-supplied Jinja2 templates
The Home Assistant Command-line interface hass-cli is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no...
CVE-2026-40602 hass-cli: Handling of user-supplied Jinja2 templates
The Home Assistant Command-line interface hass-cli is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no...
GHSA-538C-55JV-C5G9 ONNX: Malicious ONNX models can crash servers by exploiting unprotected object settings.
Summary The ExternalDataInfo class in ONNX was using Python’s setattr function to load metadata like file paths or data lengths directly from an ONNX model file. The problem? It didn’t check if the "keys" in the file were valid. Because it blindly trusted the file, an attacker could craft a...
Prototype Pollution
Overview @apollo/federation-internals is an Apollo Federation internal utilities Affected versions of this package are vulnerable to Prototype Pollution through incomplete sanitization of input in the query plan execution. An attacker can manipulate the Object.prototype in the gateway by crafting...
EUVD-2026-10061
parse-server: Malformed $regex query leaks database error details in API response...
CVE-2026-30835
Parse Server vulnerability CVE-2026-30835 affects Parse Server before versions 8.6.7 and 9.5.0-alpha.6, where a malformed $regex query parameter can cause the database to return a structured error object unsanitized through the API response. This leaks internal database details such as error mess...
CVE-2026-30835
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter e.g. abc causes the database to return a structured error object that is passed unsanitized through the API response...
PT-2026-23754
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.7 Parse Server versions prior to 9.5.0-alpha.6 Description Parse Server is an open-source backend deployable on Node.js infrastructures. A malformed $regex query parameter, such as abc, can cause the database...
[SECURITY] Fedora 42 Update: rust-time-core-0.1.8-1.fc42
Internal implementation details of the 'time' crate...
CVE-2023-37525
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals...
EUVD-2023-41412
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals...
CVE-2023-37525 HCL BigFix Compliance is vulnerable to a sensitive information disclosure
A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals...
Azure Linux 3.0 Security Update: nodejs (CVE-2025-23083)
The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-23083 advisory. - With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is...
CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
📄 js2py 0.74 Automated Sandbox Escape / Code Execution
js2py version 0.74 automated sandbox escape and remote code execution exploit with a reverse shell. ============================================================================================================================================= | Title : js2py v0.74 Automated Sandbox Escape & Revers...
CVE-2025-36743
SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands...
Template Injection
langchain-core is vulnerable to Template Injection. The vulnerability is due to the lack of validation in template strings, where attackers can access Python object internals through template syntax. This allows attackers to extract sensitive information from object internals and potentially...
EUVD-2025-203086
SolarEdge SE3680H has an exposed debug/test interface accessible to unauthenticated actors, allowing disclosure of system internals and execution of debug commands...