PT-2026-7668

ASTPP 4.0.1 contains an information disclosure vulnerability that allows unauthenticated attackers to download database backup files by predicting backup filename patterns. Attackers can generate a list of 6-digit PIN combinations and fuzz the backup download URL to exfiltrate sensitive database...

CVE-2025-69873

ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax $data reference, which is passed directly to the JavaScript RegExp constructor without...

CVE-2025-69873

ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax $data reference, which is passed directly to the JavaScript RegExp constructor without...

CVE-2025-69873

ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax $data reference, which is passed directly to the JavaScript RegExp constructor without...

CVE-2026-26006 Redos (Regular Expression Denial of Service) at Code Extraction Block in significant-gravitas/autogpt

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The autogpt before 0.6.32 is vulnerable to Regular Expression Denial of Service due to the use of regex at Code Extraction Block. The two Regex are used...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the improper handling of configuration files from default location, provided through the sshconfigparsefile and sshbindconfigparsefile functions and through glob wildcards. An...

CVE-2025-11537

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern such as the pre-defined 'long' pattern, sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log files can extract...

Security Bulletin: IBM Event Endpoint Management is vulnerable to command injection vulnerability (CVE-2025-64756)

Summary IBM Event Endpoint Management is vulnerable to command injection vulnerability due to Glob matches files. Vulnerability Details CVEID:CVE-2025-64756 DESCRIPTION: Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob...

PT-2026-7472

Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.32 Description AutoGPT is a platform for creating, deploying, and managing continuous artificial intelligence agents that automate complex workflows. Versions of AutoGPT before 0.6.32 contain a Regular Expression...

CVE-2026-25479

Litestar is an ASGI framework. Prior to 2.20.0, litestar.middleware.allowed_hosts compiles allowlist entries into regex patterns in a way that lets regex metacharacters retain special meaning (e.g., . matches any character). This can enable a bypass where a host that matches the regex is not the ...

PYSEC-2026-95

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOADDIR / file.name. Malicious filenames containing ../ sequences allow attackers to...

How Samsung Knox Helps Stop Your Network Security Breach

As you know, enterprise network security has undergone significant evolution over the past decade. Firewalls have become more intelligent, threat detection methods have advanced, and access controls are now more detailed. However and it’s a big “however”, the increasing use of mobile devices in...

YARA-X 1.13.0

YARA-X is a re-incarnation of YARA, a pattern matching tool designed with malware researchers in mind. This new incarnation intends to be faster, safer and more user-friendly than its predecessor. The ultimate goal of YARA-X is replacing YARA as the default pattern matching tool for malware...

Grok continues producing sexualized images after promised fixes

Journalists decided to test whether the Grok chatbot still generates non‑consensual sexualized images, even after xAI, Elon Musk’s artificial intelligence company, and X, the social media platform formerly known as Twitter, promised tighter safeguards. Unsurprisingly, it does. After scrutiny from...

Eclipse Foundation Mandates Pre-Publish Security Checks for Open VSX Extensions

The Eclipse Foundation, which maintains the Open VSX Registry, has announced plans to enforce security checks before Microsoft Visual Studio Code VS Code extensions are published to the open-source repository to combat supply chain threats. The move marks a shift from a reactive to a proactive...

Next.js Framework 10.x / 11.x / 12.x / 13.x / 14.x / 15.x < 15.5.10 / 16.x < 16.1.5 Image Optimizer DoS (GHSA-9g9p-9gw9-jx7f)

The Next.js Framework on the remote host is affected by a denial of service vulnerability: - A denial of service vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint /next/image loads external images...

This Week in Spring - February 3rd, 2026

Hi, Spring fans! This week I'm in northern Europe. I went on the Vaadin cruise from Finland to Sweden, gave a talk on a boat, then arrived in Stockholm in time for the amazing JFokus 2026 event where I had the privilege yesterday of doing a deep dive with my pal James Ward on Spring AI and agenti...

Denial Of Service (DoS)

Next.js is vulnerable to Denial Of Service DoS. The vulnerability is due to the image optimization endpoint loading external images into memory without enforcing a maximum size limit, which allows an attacker to request optimization of arbitrarily large images and trigger out-of-memory conditions...

The Trigger in the Haystack: Extracting and Reconstructing LLM Backdoor Triggers

Detecting whether a model has been poisoned is a longstanding problem in AI security. In this work, we present a practical scanner for identifying sleeper agent-style backdoors in causal language models. Our approach relies on two key findings: first, sleeper agents tend to memorize poisoning dat...

CVE-2026-24785

Clatter is a nostd compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule Noise Protocol Framework...