CVE-2026-49270

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all...

CVE-2026-41401

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lydparsersetdataflags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata...

CVE-2026-42158

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, could update the metadata of an investigation of another user. This vulnerability is fixed in 1.2.3...

Incomplete List of Disallowed Inputs

Overview Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the metadata process. An attacker can rename, move, or create links to files within the container by submitting specially crafted metadata values that bypass the intended blocklist. This may also...

Allocation of Resources Without Limits or Throttling

Overview OpenTelemetry.Resources.Azure is a package contains Resource Detectors for applications running in Azure environment. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the AzureVmMetaDataRequestor in the Azure resource metada...

Lemmy has SSRF and internal image disclosure in post link metadata via unvalidated og:image

Summary Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the preview image through local pict-rs. While the top-level page URL is checked against internal IP ranges, the extracted og:image URL is not subject to the same restriction...

EUVD-2026-23147

MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can embed malicious ANSI escape codes in PDF metadata that are passed unsanitized to the terminal when...

CVE-2026-24516

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component internal/troubleshooting/actioner/actioner.go processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting...

CVE-2026-33173

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the...

CVE-2026-27973 Audiobookshelf has Stored XSS in ItemSearchCard.vue via Audiobook Metadata (Search Results on Mobile App)

Audiobookshelf is a self-hosted audiobook and podcast server. A stored cross-site scripting XSS vulnerability exists in versions prior to 0.12.0-beta of the Audiobookshelf mobile application that allows arbitrary JavaScript execution through malicious library metadata. Attackers with library...

CVE-2025-61788

Opencast Paella Player 7 is vulnerable to cross-site scripting prior to versions 17.8 and 18.2. The issue stems from unfiltered user-supplied metadata being rendered in the player, enabling injection of HTML/JavaScript that executes in viewers’ browsers. Exploitation requires write access to the ...

EUVD-2018-18720

Malware in sbrugna...

EUVD-2015-6540

Malware in sbrugna...

EUVD-2021-2347

Malware in sbrugna...

EUVD-2009-4171

Malware in sbrugna...

EUVD-2010-2078

Malware in sbrugna...

EUVD-2022-4783

Malicious code in bioql PyPI...

EUVD-2024-2161

Malicious code in bioql PyPI...

EUVD-2025-6877

Malicious code in bioql PyPI...

org.apache.ranger:ranger-kylin-plugin (>=2.5.0 <=2.8.0), org.apache.ranger:ranger-kylin-plugin-shim (>=2.5.0 <=2.8.0) potentially affected by CVE-2025-61734 via org.apache.kylin:kylin-core-metadata (=4.0.4)

org.apache.kylin:kylin-core-metadata MAVEN version =4.0.4 is affected by a known vulnerability. The following packages have a transitive dependency on org.apache.kylin:kylin-core-metadata and may be impacted: - org.apache.ranger:ranger-kylin-plugin =2.5.0, =2.5.0, =2.8.0 Source cves: CVE-2025-617...