amazon-redshift-python-driver vulnerable to Remote Code Execution via eval() Injection

Summary amazon-redshift-python-driver is the official Python connector for Amazon Redshift. In versions 2.1.13 and earlier, the driver insufficiently validates data received from the server during query result processing. A rogue server or man-in-the-middle could leverage this to execute arbitrar...

AgenticMail API/storage and outbound relay hardening fixes

The current upstream main branch at commit 7e0206d was reviewed, and the fix-first patch set was rebased on 2026-05-18. The patches cover: validated and bound inactive-agent hour filtering; storage SQL identifier validation; metadata-backed ownership checks for raw storage SQL; blocking direct...

SQL Injection

Overview agno is an Agno: a lightweight library for building Multi-Agent Systems Affected versions of this package are vulnerable to SQL Injection via the deletebymetadata function in the clickhouse backend. An attacker can execute unintended SQL commands by supplying malicious metadata keys and...

CVE-2026-45626 Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter

Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitis...

CVE-2018-25398

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the frmpasswd parameter. Attackers can send POST requests to main.php with crafted SQL payloads to extract sensitive...

delve security update

An update is available for delve. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Delve is a debugger for the Go programming language. The goal of the project i...

RLSA-2026:19013 Moderate: delve security update

Delve is a debugger for the Go programming language. The goal of the project is to provide a simple, full featured debugging tool for Go. Delve should be easy to invoke and easy to use. Chances are if you're using a debugger, things aren't going your way. With that in mind, Delve should stay out ...

CVE-2018-25403 The Open ISES Project 3.30A SQL Injection via city_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to citygraph.php with crafted SQL payloads to extract sensitive database...

EUVD-2018-21923

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to severgraph.php with crafted SQL payloads to extract sensitive databas...

CVE-2018-25402 The Open ISES Project 3.30A SQL Injection via inc_types_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inctypesgraph.php with crafted SQL payloads to extract sensitive...

CVE-2018-25394 Kados R10 GreenBee SQL Injection via update_release.php

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the releaseid parameter of boardsbuttons/updaterelease.php. The releaseid value is concatenated directly into SQL statements withou...

CVE-2018-25392

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability exploitable by authenticated users through the log_activity function. The flaw occurs in /index.php/user/log_activity where parameters nomor, user, and jenis can be tainted with arbitrary SQL. Successful exploitation can enumerate...

CVE-2026-45582 n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.3, the workflow telemetry sanitizer could retain partial fragments of URL-shaped node parameters before sending workflow data to the project's anonymous telemetry...

CVE-2026-44238 FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports

FreePBX is an open source IP PBX. Prior to 16.0.50 and 17.0.11, the CDR Reports module page allows SQL injection through the order and sort POST parameters. Authentication with a FreePBX Administration Control Panel account that has CDR section access is required. Full administrator privileges ar...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

Improper Neutralization of Special Elements in Data Query Logic

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the EntitySearchUtil::addSearchClause function in the autocomplete endpoint. The endpoint constructs SQL query with LIKE expression without escaping the SQL LIKE wildcar...

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically clientid and clientsecret, to be transmitted as plaintext in URL query parameters during POST requests to the GitLab endpoint. This insecure transmission can lead to th...

CVE-2026-10078

The CVE-2026-10078 entry concerns Quay config-tool’s GitLab OAuth validator. The vulnerability causes client_id and client_secret to be sent in plaintext via URL query parameters during POST requests to the GitLab endpoint, enabling potential exposure of credentials in logs (server access logs, r...