NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

CVE-2026-11453

A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched...

CVE-2026-11466

CVE-2026-11466 affects the zilliztech deep-searcher up to version 0.0.2. The issue is in deepsearcher/agent/collection_router.py (function CollectionRouter.invoke ), where argument kwargs manipulation leads to improper access controls. This enables remote exploitation ; the exploit is publicly av...

CVE-2026-11453

A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched...

PT-2026-47176

A vulnerability was found in Tiobon Employee Self-Service System up to 7.2. Affected by this vulnerability is an unknown functionality of the file /Blog/BlogSearch.aspx of the component Login Endpoint. The manipulation of the argument Keyword results in sql injection. The attack can be launched...

Tiobon Employee Self-Service System SQL注入漏洞

The Tiobon Employee Self-Service System is an enterprise employee self-service platform developed by Tiobon Corporation. Versions of the Tiobon Employee Self-Service System prior to 7.2 contained a SQL injection vulnerability. This vulnerability stemmed from incorrect handling of the parameter...

CVE-2026-49371

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

JetBrains TeamCity < 2026.1.1 Reflected XSS (CVE-2026-49371)

The version of JetBrains TeamCity installed on the remote host is prior to 2026.1.1. It is, therefore, affected by a vulnerability: - In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible CVE-2026-49371 Note that Nessus has not tested for this issue but has instea...

CVE-2026-10121

A flaw has been found in TRENDnet TEW-432BRP 3.10B20. The impacted element is the function formSetUrlFilter of the file /goform/formSetUrlFilter. This manipulation of the argument keywordlist/keyword causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploi...

CVE-2026-49371

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

CVE-2026-49371

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

CVE-2026-49371

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

EUVD-2026-33379

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

CVE-2026-49371

In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible...

CVE-2026-49371

CVE-2026-49371 affects JetBrains TeamCity prior to version 2026.1.1, where the keyword filter is vulnerable to a reflected XSS. The CVE entry documents an in-the-wild impact of a high-severity issue (CVSS 3.1: 7.1, NETWORK attack vector, UI interaction required) originating from insufficient inpu...

JetBrains TeamCity 跨站脚本漏洞

JetBrains TeamCity is a set of distributed build management and continuous integration tools developed by the Czech company JetBrains. This tool offers features such as continuous unit testing, code quality analysis, and reporting on build issues. Versions of JetBrains TeamCity prior to 2026.1.1...

PT-2026-44951

Name of the Vulnerable Software and Affected Versions JetBrains TeamCity versions prior to 2026.1.1 Description A reflected Cross-Site Scripting XSS issue exists in the keyword filter. Reflected XSS occurs when an application receives data in an HTTP request and includes that data within the...

GHSA-9RFG-V8G9-9367 Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring

As told on Discord earlier, multiple projects are affected, and we would like to coordinate. For now, we are aiming at a May 6th release date, but this is not set in stone yet. Summary An attacker can make use of JSON-LD features to restructure a JSON-LD document that would change how Fedify...

CyBOKClaw: Human-In-The-Loop CyBOK Mapping for Cybersecurity Curriculum

This paper presents CyBOKClaw, an interpretable human-in-the-loop retrieval framework for mapping cybersecurity keywords or phrases KWoPs to the Cyber Security Body of Knowledge CyBOK. Rather than treating the task as strict exact classification, the framework is designed as a top-k candidate...

MAL-2026-4197 Malicious code in pretty-logger-utils (npm)

pretty-logger-utils is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper...