NPM: hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice

NPM: hono: AWS Lambda adapter merges multiple Set-Cookie headers into one value, dropping cookies on ALB single-header and Lattice vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

CVE-2026-5222 affecting package rust for versions less than 1.75.0-30

CVE-2026-5222 affecting package rust for versions less than 1.75.0-30. A patched version of the package is available...

Use of Less Trusted Source

Overview Affected versions of this package are vulnerable to Use of Less Trusted Source. Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded request headers it receives from untrusted proxies to downstream services. Both the WebFlux and WebMVC Gateway Servers process these...

CVE-2026-41887

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

CVE-2026-44573

A flaw was found in Next.js. Applications utilizing the Pages Router with internationalization i18n configured and middleware or proxy-based authorization are susceptible to unauthorized access. A remote attacker can exploit this by making locale-less /next/data//.json requests, which bypass the...

CVE-2026-39834 affecting package nvidia-container-toolkit for versions less than 1.17.8-3

CVE-2026-39834 affecting package nvidia-container-toolkit for versions less than 1.17.8-3. A patched version of the package is available...

EUVD-2026-31913

Chatwoot is a customer engagement suite. From 2.2.0 to before 4.11.2, a SQL injection vulnerability exists in the conversation and contact filter APIs. When filtering by a custom attribute of type date or number using the isgreaterthan or islessthan operators, user-supplied values in the values...

Astra Linux - уязвимость в firefox, thunderbird

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped. This vulnerability affects Thunderbird 91.4.0, Firefox ESR 91.4.0, and Firefox 95...

Malicious code in jest-less-loader (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@jason_mao/mao-ui (=0.0.1), aim-testing (>=0.0.5 <=0.0.8) potentially affected by unknown CVE via jest-less-loader (=0.2.0)

jest-less-loader NPM version =0.2.0 is affected by a known vulnerability. The following packages have a transitive dependency on jest-less-loader and may be impacted: - @jasonmao/mao-ui =0.0.1 - aim-testing =0.0.5, =0.0.8 Source cves: unknown CVE Source advisory: SNYK:JS-JESTLESSLOADER-16754444...

CVE-2026-35469 affecting package keda for versions less than 2.14.1-12

CVE-2026-35469 affecting package keda for versions less than 2.14.1-12. A patched version of the package is available...

CVE-2026-6474 affecting package postgresql for versions less than 16.14-1

CVE-2026-6474 affecting package postgresql for versions less than 16.14-1. An upgraded version of the package is available that resolves this issue...

Exploiting LLM Agent Supply Chains Via Payload-Less Skills

Autonomous agents powered by Large Language Models LLMs acquire external functionalities through third-party skills available in open marketplaces. Adopting these integrations broadens the potential attack surface, prompting a need for systematic security evaluation. Current auditing mechanisms a...

CVE-2026-41887

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

EUVD-2026-28804

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

CVE-2026-41887

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

CVE-2026-41887

The CVE-2026-41887 entry affects Flarum core prior to versions 1.8.16 and 2.0.0-rc.1, where values assigned to LESS-configurable settings (e.g., theme_primary_color/theme_secondary_color) are interpolated into LESS at compile time. An authenticated administrator can inject an arbitrary @import, e...

CVE-2026-41887 Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

CVE-2026-41887 Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577)

Flarum is open-source forum software. Prior to versions 1.8.16 and 2.0.0-rc.1, Flarum's patch for CVE-2023-27577 restricted the @import and data-uri LESS features in the customless setting, but the same restriction was never applied to other settings registered as LESS config variables for exampl...

Vim 操作系统命令注入漏洞

Vim is an open-source, cross-platform text editor developed by Vim developers. Versions of Vim prior to 9.2.0383 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the netrw standard plugin, which allowed for OS command injection. This could...