CVE-2026-45680 OpenTelemetry eBPF Instrumentation: Unbounded BPF internal metrics replay can exhaust CPU

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. Prior to version 0.9.0, OBI replays BPF probe hits into histogram observations by looping once per recorded run count. On busy systems, the run-count delta can become very large, causing the...

CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...

CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag

Defuddle cleans up HTML pages. Prior to version 0.9.0, the findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event...

EUVD-2025-16355

Malicious code in bioql PyPI...

CVE-2025-46722

The CVE-2025-46722 entry concerns vLLM (versions 0.7.0–0.8.x) where MultiModalHasher in vllm/multimodal/hasher.py hashes PIL.Image.Image objects using only obj.tobytes(). This excludes image metadata (width, height, mode), enabling two images with identical pixel data but different shapes to yiel...

CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First Token. These timing differences...