Agent Security Is a Systems Problem

We take the position that agent security must be approached as a systems problem: the AI model powering the agent must be treated as an untrusted component, and security invariants must be enforced at the system level. Through this lens, efforts to increase model robustness the dominant viewpoint...

HUSTOJ Admin users can zip-slip problem_import_qduoj.php, planting PHP files in webroot for RCE

A user with administrative privileges can abuse the problemimportqduoj.php CGI script using a crafted zip file zip-slip to traverse backwards through the filesystem, then to the webroot, where they can extract a PHP file that spawns a shell to get full RCE in the context of the webserver. Module...

CVE-2026-44903 vulnerabilities

Vulnerabilities for packages: jaeger, metrics-server, telegraf, tempo, istio, prometheus-pushgateway, opentelemetry-collector, mc, opentelemetry-collector-contrib, certificate-transparency, cloud-sql-proxy, opentelemetry-operator, mcp-grafana, datadog-agent, node-problem-detector,...

CVE-2026-45191

Net::CIDR::Lite versions before 0.24 for Perl does not properly consider extraneous zero characters in CIDR mask values, which may allow IP ACL bypass. Mask forms like "/00" and "/01" pass validation and parse to the same prefix as their unpadded value. See also CVE-2026-45190...

free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary free5GC's NEF PATCH /3gpp-pfd-management/v1/afId/transactions/transId/applications/appId handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil ProblemDetails. The handler's errPfdData != nil branch...

GHSA-J59F-X285-69JX free5GC's NEF 3gpp-pfd-management PATCH applications/{appId} panics on UDR access failure due to nil ProblemDetails dereference

Summary free5GC's NEF PATCH /3gpp-pfd-management/v1/afId/transactions/transId/applications/appId handler panics with a nil-pointer dereference when the upstream UDR call fails AND the consumer wrapper returns err != nil together with a nil ProblemDetails. The handler's errPfdData != nil branch...

CVE-2023-42343

OpenCMS before 10.5.1 is vulnerable to a Cross-Site Scripting (XSS) issue via the CMIS online endpoint cmis-online/type. The vulnerability is described across multiple connected sources (CVE-2023-42343, EUVD-2023-46796, NVD/NVDC, and nuclei templates) as an XSS flaw in the /opencms/cmisatom/cmis-...

CVE-2024-33724

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php. Affected software is SOPlanning; the vulnerability arises in the groupe_id handling, enabling injection that can affect authenticated users and potentially hijack sessions (per C...

PT-2026-39252

Name of the Vulnerable Software and Affected Versions free5GC versions prior to 4.2.2 Description The Network Exposure Function NEF in free5GC contains a nil-pointer dereference issue within the PatchIndividualApplicationPFDManagement function. This occurs when a PATCH request is sent to the...

CVE-2024-33288

The CVE-2024-33288 entry covers a SQL injection vulnerability in Prison Management System Using PHP v1.0, exposed on the Admin login page via the username parameter. Multiple connected sources document an authentication bypass PoC and public exploits targeting admin access (e.g., by injecting adm...

CVE-2026-43862

In mutt before 2.3.2, the imapauthgss security level is mishandled...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: The numconnectors field is incorrectly handled. The UCSI specification states that the numconnectors field consists of 7 bits, with the 8th bit reserved and should be set to zero. Some faulty firmware has been...

HUSTOJ Zip-Slip v26.01.24 - RCE

Exploit Title: HUSTOJ Zip-Slip v26.01.24 - RCE Date: 2026-02-14 Exploit Author: Marshall Whittaker / oxagast Vendor Homepage: https://github.com/zhblue/hustoj Software Link: http://123.158.38.129:8090/livecd/HUSTOJ25.05.iso LiveCD, or see above git repo Version: Before v26.01.24 Tested on: Ubuntu...

Poster: ClawdGo: Endogenous Security Awareness Training for Autonomous AI Agents

Autonomous AI agents deployed on platforms such as OpenClaw face prompt injection, memory poisoning, supply-chain attacks, and social engineering, yet existing defences address only the platform perimeter, leaving the agent's own threat judgement entirely untrained. We present ClawdGo, a framewor...

CVE-2026-40179 vulnerabilities

Vulnerabilities for packages: jaeger, telegraf, tempo, istio, prometheus-pushgateway, mc, certificate-transparency, cloud-sql-proxy, mcp-grafana, datadog-agent, node-problem-detector, minio-object-browser, trillian, prometheus, karma, loki, minio-operator, splunk-otel-collector, minio, keda...

GHSA-VFFH-X6R8-XX99 vulnerabilities

Vulnerabilities for packages: jaeger, telegraf, tempo, istio, prometheus-pushgateway, mc, certificate-transparency, cloud-sql-proxy, mcp-grafana, datadog-agent, node-problem-detector, minio-object-browser, trillian, prometheus, karma, loki, minio-operator, splunk-otel-collector, minio, keda...

MINI-PM25-G6XV-V9WW

Bulletin has no description...

GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: aws-flb-cloudwatch, memcached-exporter, terraform-provider-aws, gitaly, jitsucom-bulker, kserve-rest-proxy, kubernetes, swagger, docker-cli, polaris, flux, terraform-provider-pagerduty, vault-benchmark, vault-secrets-webhook, grafana-mimir, verticadb-operator,...

MINI-W522-6PX2-5VJW

Bulletin has no description...

CVE-2026-5863

Summary: CVE-2026-5863 is an insecure implementation in the V8 engine of Google Chrome/Chromium prior to 147.0.7727.55 that could allow remote code execution via a crafted HTML page. The current public docs list the issue and indicate high impact, but do not provide exploitation details. Public u...