CVE-2026-39425

MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting XSS vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue Opening Remarks field by wrapping malicious payloads in tags...

Malicious code in @aircall-ecosystem/integrations-msteams-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4343cd15bb1d3104166b2ddf4f549bc184fde49233b5cfba97f353f00a8c2a2e The package @aircall-ecosystem/integrations-msteams-frontend was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2613 Malicious code in upstart-offer-container (npm)

Package collects sensitive data SSH keys, AWS creds, env vars, exfiltrates it to a remote server, and executes shell commands. MALWARE! --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 148e48dd7b06a250063027a17895962000ca784a3fe52b704bea049afc85763a The package...

CVE-2026-32283 vulnerabilities

Vulnerabilities for packages: kyverno-notation-aws, bazelisk, k8s-metacollector-fips, terraform-provider-pagerduty-fips, kube-arangodb, cert-manager-openshift-routes, crossplane-provider-kubernetes-fips, nri-postgresql, knative-serving-fips, go-discover, opentofu, kserve-rest-proxy, vale,...

PT-2026-32054

Name of the Vulnerable Software and Affected Versions SiYuan versions 3.x through 3.6.3 Description An issue exists where the '/api/av/removeUnusedAttributeView' endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a...

CVE-2026-33783

Junos OS Evolved on PTX Series is affected when SRTE policy tunnels are provisioned via PCEP and gRPC is used to monitor traffic; evo-aftmand crashes and requires manual restart, causing persistent DoS. The issue occurs only if the Originator ASN field in PCEP exceeds 65,535 (32-bit ASN). Affecte...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the node.invoke process. An attacker can alter persistent browser profiles by invoking browser.proxy to bypass the intended profile-mutation guard. Remediation...

OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard

Impact OpenClaw node.invokebrowser.proxy bypasses browser.request persistent profile-mutation guard. node.invokebrowser.proxy could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to...

GHSA-CMFR-9M2R-XWHQ OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard

Impact OpenClaw node.invokebrowser.proxy bypasses browser.request persistent profile-mutation guard. node.invokebrowser.proxy could mutate persistent browser profiles through a path that bypassed the browser.request guard. OpenClaw is a user-controlled local assistant. This advisory is scoped to...

PT-2026-31780

Name of the Vulnerable Software and Affected Versions PraisonAIAgents versions prior to 1.5.128 Description PraisonAIAgents is a multi-agent teams system. The memory hooks executor in PraisonAIAgents passes a user-controlled command string directly to subprocess.run with shell=True at...

APT28 Deploys PRISMEX Malware in Campaign Targeting Ukraine and NATO Allies

The Russian threat actor known as APT28 aka Forest Blizzard and Pawn Storm has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. "PRISMEX combines advanced steganography, component object model COM...

parisneo/lollms has an insufficient session expiration vulnerability

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

EUVD-2026-20030

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

LoLLMs 代码问题漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. LoLLMs has code vulnerabilities; these vulnerabilities stem from an insufficient conversation expiration mechanism after password reset, which may allow attackers to maintain persistent access to compromise...

CVE-2026-35576

ChurchCRM prior to version 7.0.0 has a stored XSS in the Person Property Management subsystem (PrintView.php) that an authenticated user can inject via dynamically assigned person properties. The payload is stored and executed when other users view the affected person profile or the printable vie...

Improper Symlink Handling

kubevirt.io/kubevirt is vulnerable to improper symlink handling. The vulnerability is due to improper validation of symbolic links in PVC disk mounting along with incorrect file ownership changes, which allows an attacker with control over PVC contents to create malicious symlinks and read...

CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads...

GHSA-5GHQ-42RG-769X CI4MS: Company Information Public-Facing Page Full Platform Compromise & Full Account Takeover for All Roles & Privilege-Escalation via System Settings Company Information Stored DOM XSS

An attacker can acheive Full Account Takeover & Privilege Escalation via Stored DOM Blind XSS on public-facing landing pages through the System Settings Company Information section which allows the injection of XSS payloads...

Google Android 安全漏洞

Google Android is an open-source operating system based on Linux, developed by Google Inc. There are security vulnerabilities in Google Android, where a resource exhaustion may lead to persistent denial-of-service attacks. Local denial-of-service attacks do not require additional execution...