OpenMetaData - SpEL Injection in PUT /api/v1/policies

OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. CompiledRule::validateExpression is also called from PolicyRepository.prepare. prepare is called from...

CVE-2026-12813

Affected software: activepieces (

PT-2026-51097

Name of the Vulnerable Software and Affected Versions py7zr versions prior to 0.22.1 Description The Worker.decompress function in py7zr/worker.py extracts archive entries without tracking the total decompressed size. This allows a specially crafted .7z file to cause disk or memory exhaustion...

CVE-2026-11358

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2024-37496

CVE-2024-37496 concerns the WordPress Metro Magazine theme (

CVE-2026-46882

Technical details (affected product, components, root cause, impact, remediation) are not publicly available in the provided documents; monitor for updates.

CVE-2026-46851

...

EUVD-2026-36750

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

CVE-2026-37216

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

[SECURITY] Fedora 43 Update: python-django5-5.2.15-1.fc43

Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY Don't Repeat Yourself principle...

CVE-2026-37216

Ruoyi 4.8.2 is vulnerable to Cross Site Scripting XSS at the interface /system/notice/add...

CVE-2026-37216

CVE-2026-37216 affects Ruoyi 4.8.2 with a Cross Site Scripting (XSS) flaw at the interface /system/notice/add. Reported metrics indicate CVSS 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) base score 6.1 (Medium) and a potential impact on confidentiality and integrity (Low) with user interaction requi...

PT-2026-49290

Name of the Vulnerable Software and Affected Versions Ruoyi version 4.8.2 Description Cross Site Scripting XSS occurs at the '/system/notice/add' endpoint. XSS is a type of security flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. Recommendations At t...

metasploit-cheatsheet

Metasploit Cheatsheet A practical reference for using Metaspl...

Malicious Package

Overview ecto-corsair-flag-x9m4 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packag...

SUSE CVE-2026-46559

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-48 and 7.1.2-23, an incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options. This issue has been patched in versions...

CVE-2026-44492

Axios is a promise based HTTP client for the browser and Node.js. Prior to 0.32.0 and 1.16.0, Axios does not normalise IPv4-mapped IPv6 addresses. When NOPROXY lists an IPv4 address such as 127.0.0.1 or 169.254.169.254, a request URL using the IPv4-mapped IPv6 form ::ffff:7f00:1, ::ffff:a9fe:a9fe...

BELL-CVE-2026-46314

Bulletin has no description...

EUVD-2026-36140

Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicatepostdismissnotice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicatepostshownotice site option, suppressing...

EUVD-2026-36141

Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice...