OESA-2026-2148 pdfbox security update

Apache PDFBox is an open source Java PDF library for working with PDF documents. This project allows creation of new PDF documents, manipulation of existing documents and the ability to extract content from documents. Apache PDFBox also includes several command line utilities. Apache PDFBox is...

CVE-2026-23907

This issue affects the ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.35, from 3.0.0 through 3.0.6. The ExtractEmbeddedFiles example contains a path traversal vulnerability CWE-22 because the filename that is obtained from PDComplexFileSpecification.getFilename is appended...

Specification-Guided Vulnerability Detection with Large Language Models

Large language models LLMs have achieved remarkable progress in code understanding tasks. However, they demonstrate limited performance in vulnerability detection and struggle to distinguish vulnerable code from patched code. We argue that LLMs lack understanding of security specifications -- the...

CVE-2025-36899

CVE-2025-36899 affects Google Pixel devices, with a local elevation-of-privilege (EoP) flaw in the Secure Element component. It stems from test/debugging code left in a production build, allowing privilege escalation without additional execution privileges or user interaction (per the CVE entry a...

LLM-GUARD: Large Language Model-Based Detection and Repair of Bugs and Security Vulnerabilities in C++ and Python

Large Language Models LLMs such as ChatGPT-4, Claude 3, and LLaMA 4 are increasingly embedded in software/application development, supporting tasks from code generation to debugging. Yet, their real-world effectiveness in detecting diverse software bugs, particularly complex, security-relevant...

Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach

Microsoft on Monday announced that it has moved the Microsoft Account MSA signing service to Azure confidential virtual machines VMs and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed...

Google Pixel Security Breach

Google Pixel is a smartphone from Google USA. Google Pixel suffers from a security vulnerability that stems from test/debug code left behind in the production version, which could be a persistent denial of service...

CVE-2024-32047

Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server...

PT-2024-3235 · Cyberpower · Cyberpower Powerpanel

Name of the Vulnerable Software and Affected Versions: CyberPower PowerPanel affected versions not specified Description: The issue is related to hard-coded credentials for the test server found in the production code, which could allow an attacker to gain access to the testing or production...

CKEditor 4.x < 4.24.0-lts Multitple XSS

The version of CKEditor included on the remote web host is 4.x prior to 4.24.0-lts. It may, therefore, be affected by multiple cross-site scripting XSS vulnerabilities. - A cross-site scripting vulnerability affecting editor instances that enabled full-page editing mode or enabled CDATA elements ...

CKEditor4 Cross-site Scripting vulnerability in samples with enabled the preview feature

Affected packages The vulnerability has been discovered in the samples that use the preview feature: samples/old//.html plugins/plugin name/samples//.html All integrators that use these samples in the production code can be affected. Impact A potential vulnerability has been discovered in one of...

Cross site scripting

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the preview feature. All integrators that use these samples in the production code can be affected. The...

CVE-2024-24816 Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerability vulnerability has been discovered in versions prior to 4.24.0-lts in samples that use the preview feature. All integrators that use these samples in the production code can be affected. The...

Mail.ru: Disk-o Cloud application (Windows) does not validate server certificate on a TLS connection

A debugging/staging functionality disabling TLS certificate check was accidentally enabled in production code for Disk-O 20.10.0133, fixed in version 20.11.0006. 21.04 version adds integrity check for update process...

CVE-2019-5479

An unintended require vulnerability in v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code JavaScript file...

CVE-2019-5479

An unintended require vulnerability in v0.5.5 larvitbase-api may allow an attacker to load arbitrary non-production code JavaScript file...

Directory Traversal

domokeeper is susceptible to directory traversal. The attack is possible because of the use of the command require which dynamically read unintended arbitary json files and load non-production code on the server...

Directory Traversal

Overview Affected versions of featurebook resolve relative file paths, resulting in a directory traversal vulnerability. A malicious actor can use this vulnerability to access files outside of the intended directory root, which may result in the disclosure of private files on the vulnerable syste...

Cloudflare: // (double slash) inside es6 template literals interpreted as an inline comment by the auto-minifier

The following is valid javascript: var a = //; So is this: var url = https://hackerone.com; However, Cloudflare's auto-minifier removes the parts of both lines including and after the //, meaning in production, they look like this: var a = var url = https: This can either straight up break or...