CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

CVE-2026-45779

CVE-2026-45779 affects OpenXDMoD: an unauthenticated SQL injection in Open XDMoD versions prior to 10.0.3 can lead to arbitrary SQL execution and complete compromise of the underlying database. The issue impacts all deployments

CVE-2026-44352

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs from any user. This vulnerability is fixed in 1.2.3...

The Coverage Gap: Chile's Cyber Disclosure Framework Versus the USA, EU and UK

We introduce the Coverage Gap as a measurable distance between the observable public exposure of critical-infrastructure operators and their declared capability to coordinate vulnerability disclosure. We instantiate it against the 915 Chilean Operadores de Importancia Vital OIVs -- Operators of...

UFO³ 安全漏洞

UFO³ is an open-source cross-device collaboration multi-agent task orchestration tool developed by Microsoft. Version UFO³ 3.0.1-4-ge2626659 contains a security vulnerability. This vulnerability stems from variable instance fields being overwritten in the shared WebSocket processor instances, whi...

GuardDog 安全漏洞

GuardDog is an open-source CLI tool developed by GuardDog, which allows for the identification of malicious PyPI packages. Versions 2.6.0 to 2.9.0 of GuardDog contain security vulnerabilities. These vulnerabilities stem from the default human-readable output, which includes filenames, file...

PostCSS 安全漏洞

PostCSS is an open-source style transformation tool developed by PostCSS. Versions of PostCSS 7.1.1 and earlier contained a security vulnerability. This vulnerability stemmed from improper handling of the toString function in the file/src/selectors/container.js component AST serialization, which...

PYSEC-2026-29

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpathfilter switches to XML mode for XML/RSS content and creates etree.XMLParserstripcdata=False without explicitly disabling external entity resolution, external DTD loading, or network-backed entity...

Syft 安全漏洞

Syft is an open-source remote data analysis tool developed by OpenMined, designed for protecting data privacy. Versions of Syft 0.9.5 and earlier contained security vulnerabilities. These vulnerabilities stemmed from inadequate validation of Python code submitted by users and insufficient sandbox...

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence AI system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and...

Inkeep Agents 授权问题漏洞

Inkeep Agents is an open-source tool developed by Inkeep, designed for building AI agents that support visual drag-and-drop operations and TypeScript SDKs. Version 0.58.14 of Inkeep Agents contains a vulnerability related to authorization. This vulnerability originates from the createDevContext...

CI4MS 代码问题漏洞

CI4MS is an open-source blog page management tool developed by Ci4MS. There were code issues and vulnerabilities in versions of CI4MS from 0.26.0 to 0.31.8.0. These vulnerabilities stemmed from the auth filter disabling the check for banning/banned users...

PPTAgent 路径遍历漏洞

PPTAgent is an open-source intelligent presentation generation tool based on large models developed by ICIP-CAS. Previous versions of PPTAgent, such as 418491a, contained a path traversal vulnerability. This vulnerability stemmed from issues with the savegeneratedslides function, which could allo...

xhs-mcp 代码问题漏洞

xhs-mcp is an open-source tool developed by Algovate for automated publication and content management of REDnote. Version xhs-mcp 0.8.11 contains a code vulnerability. This vulnerability arises from the mediapaths parameter operation in the xhspublishcontent function within the...

Flowise Information Disclosure Vulnerability

Flowise is a FlowiseAI open source tool for easily building LLM applications. Flowise suffers from an information disclosure vulnerability caused by a flaw in the /api/v1/public-chatflows/:id endpoint that can be exploited by an attacker to obtain sensitive information...

Flowise 信息泄露漏洞

Flowise is a FlowiseAI open source tool for easily building LLM applications. Flowise suffers from an information disclosure vulnerability caused by a flaw in the /api/v1/public-chatflows/:id endpoint that can be exploited by an attacker to obtain sensitive information...

PT-2026-34524

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

A Ground-Truth-Based Evaluation of Vulnerability Detection across Multiple Ecosystems

Automated vulnerability detection tools are widely used to identify security vulnerabilities in software dependencies. However, the evaluation of such tools remains challenging due to the heterogeneous structure of vulnerability data sources, inconsistent identifier schemes, and ambiguities in...

NightWolf Penetration Testing Platform 安全漏洞

NightWolf Penetration Testing Platform is an open-source cybersecurity testing tool developed by NightWolf. It is designed specifically for red teams and penetration testers, used for vulnerability exploitation, privilege escalation, and lateral movement testing. The NightWolf Penetration Testing...

QD 安全漏洞

QD is a task scheduling and automatic execution tool developed by QD OpenSource. There is a security vulnerability in QD 20230821, which stems from a specially crafted request and may lead to server-side request forgery...