Chromium: CVE-2026-5861 Use after free in V8

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

PT-2026-32092

The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get current url function, which are inserted into...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the expression parser. An attacker can execute arbitrary JavaScript code by sending malicious expressions for evaluation. Remediation There is no fixed...

mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes

Impact This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser. Patches The issue was introduced in mathjs v13.1.0, an...

CVE-2026-40190

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 1inch-agent-kit (=1.0.53) +6204 more potentially affected by CVE-2026-40175 via axios (>=1.0.0 <=1.14.0)

axios NPM version =1.0.0, =0.0.8, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2-beta.0, =8.0.5, =6.1.0, =0.0.1-alpha.3, =0.1.6-alpha.11, =1.0.3-rc.0, =2.1.0 - @1tokenfe/hd-ble-sdk =1.1.15 - @1tokenfe/hd-common-connect-sdk =1.1.15 and more Source cves: CVE-2026-40175 Source advisory: SNYK:JS-AXIOS-159692...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

Arbitrary File Upload

Overview Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload. An administrator can execute arbitrary JavaScript in the context of the application by uploading a crafted SVG or HTML file containing malicious scripts, which are then served to users without...

CVE-2026-40190

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

EUVD-2026-21154

PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering nh3 Not a Required Dependency...

PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)

Summary The Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The sanitizehtml function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent the default installation, the...

EUVD-2026-21547

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the odh-dashboard component of Red Hat OpenShift AI RHOAI allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to...

CVE-2026-5483

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the odh-dashboard component of Red Hat OpenShift AI RHOAI allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to...

CVE-2026-5483

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the odh-dashboard component of Red Hat OpenShift AI RHOAI allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to...

CVE-2026-35643 OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

EUVD-2026-21438

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

CVE-2026-35643

OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context...

SUSE-SU-2026:21024-1 Security update for cockpit-machines

This update for cockpit-machines fixes the following issues: - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive resource consumption and crash a Node.js process bsc1257836. - CVE-2026-26996: minimatch: processing of glob pattern containing repeated wildcards...