CVE-2026-44000 vm2: sandbox boundary bypass via host Promise resolution preserving host object identity

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the...

CVE-2026-32768

Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. In versions prior to 0.6.5, due to a miswritten NetworkPolicy, a malicious actor can pivot from an instance to any Pod out of the origin namespace. This breaks the security-by-default property expected as...

CVE-2026-30859

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

CVE-2026-30859 WeKnora: Broken Access Control - Cross-Tenant Data Exposure

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

CVE-2026-30859 WeKnora: Broken Access Control - Cross-Tenant Data Exposure

WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.12, a broken access control vulnerability in the database query tool allows any authenticated tenant to read sensitive data belonging to other tenants, including API keys, mod...

CVE-2026-25811 PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access...

CVE-2026-25811 PlaciPy Email Domain Trust Enables Cross-Tenant Data Access (Multi-Tenant Isolation Failure)

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access...

CVE-2025-62410 --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads ...

CVE-2025-5476 Sony XAV-AX8500 Bluetooth Improper Isolation Authentication Bypass Vulnerability

Sony XAV-AX8500 Bluetooth Improper Isolation Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected Sony XAV-AX8500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the...

Edimax BR-6208AC Cross-Router Covert Channel Vulnerability (CNVD-2019-30061)

The Edimax BR-6208AC is a wireless concurrent dual-band router. A cross-router hidden channel vulnerability exists in the Edimax BR-6208AC V1. The vulnerability stems from insufficient isolation between host and client networks established by the same device. The vulnerability can be exploited by...

ALPINE-CVE-2018-15468

An issue was discovered in Xen through 4.11.x. The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the...

Vmare workstation guest isolation weaknesses (clipboard transfer)

Suggested severity level: Low Type of Risk: isolation failure, information leakage, infection path Affected Software: VMware Workstation, version 5.5.3 build 34685 including installation of "VMware tools" of the same version on the guest OS. Other products by the vendor using the same isolation...