PT-2026-26965

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $ SERVER'REQUEST URI' t...

Exploit for CVE-2026-33017

CVE-2026-33017 — Langflow Unauthenticated RCE PoC !CVEhttp...

EUVD-2026-13836

Requires malware code to misuse the DDK kernel module IOCTL interface. Such code can use the interface in an unsupported way that allows subversion of the GPU to perform writes to arbitrary physical memory pages. The product utilises a shared resource in a concurrent manner but does not attempt t...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.2.25 contained security vulnerabilities. These vulnerabilities stemmed from a bypass of approval integrity in the system.run module, which could lead to the execution of binary...

PT-2026-26885

A security vulnerability has been detected in vanna-ai vanna up to 2.0.2. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early...

CVE-2026-22163

Requires malware code to misuse the DDK kernel module IOCTL interface. Such code can use the interface in an unsupported way that allows subversion of the GPU to perform writes to arbitrary physical memory pages. The product utilises a shared resource in a concurrent manner but does not attempt t...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the CheckTxnAuth function. A user with RBAC restricted permissions on key ranges can gain unauthorized access to the entire data store by bypassing key-level authorization checks using nested transactions...

CVE-2026-33147

GMT is an open-source suite of CLI tools for geographic/Cartesian data. A stack-based buffer overflow was identified in the gmt_remote_dataset_id function (src/gmt_remote.c) affecting versions up to 6.6.0. Trigger occurs when a specially crafted long string is passed as a dataset identifier (e.g....

CVE-2026-4505

This CVE affects the eosphoros-ai DB-GPT project up to version 0.7.5. The vulnerability lies in the FastAPI Endpoint component, specifically the function module_plugin.refresh_plugins in packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py, which enables unrestricted file upload. The issu...

ANT-2026-HY56VRSB · nginx · Heap

heap-buffer-overflow high CVE-2026-27654 Severity Claude high · Security research firm - · Maintainer - Discovered by Claude Mythos Preview REPORT Anthropic's analysis, sealed at approval. Disclosure to the maintainer was performed by Calif. ANT-2026-HY56VRSB: Heap buffer overflow in...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the RemoveProjectBackground process. An attacker can permanently delete background images by sending a DELETE request to the relevant API endpoint with only read-level permissions. Remediation Upgrade...

OESA-2026-1703 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1702 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1701 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1699 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1647 qt5-qtsvg security update

The Qt SVG module provides functionality for displaying SVG images in widget, and to create SVG files using drawing commands. Security Fixes: The module will parse a pattern node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading...

Malicious code in restaking-apy-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8aa08edde60ee1a5b831af5088eaaf1b9b490ab5975541f8036f4efac42d6840 The package restaking-apy-module was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview restaking-apy-module is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-1966 Malicious code in restaking-apy-module (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8aa08edde60ee1a5b831af5088eaaf1b9b490ab5975541f8036f4efac42d6840 The package restaking-apy-module was found to contain malicious code. Source: ghsa-malware...

CVE-2026-4441

Use after free in Base in Google Chrome prior to 146.0.7680.153 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: Critical...