openmrs-core 路径遍历漏洞

OpenMRS-core is an open-source electronic medical record system developed by OpenMRS. OpenMRS-core has a path traversal vulnerability. This vulnerability stems from the getFile method in ModuleResourcesServlet, which does not validate path boundaries. As a result, unauthorized attackers may be ab...

ROS-20260505-73-0077

A vulnerability in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address and ipaddress.IPv6Network classes of the ipaddress module of the Python programming language interpreter CPython is related to incorrect IP address range validation. Exploitation of the vulnerability could...

ROS-20260505-73-0078

A vulnerability in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address and ipaddress.IPv6Network classes of the ipaddress module of the Python programming language interpreter CPython is related to incorrect IP address range validation. Exploitation of the vulnerability could...

ROS-20260505-73-0079

A vulnerability in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address and ipaddress.IPv6Network classes of the ipaddress module of the Python programming language interpreter CPython is related to incorrect IP address range validation. Exploitation of the vulnerability could...

PT-2026-37032

Name of the Vulnerable Software and Affected Versions Traccar versions 6.11.1 through 6.12.x Description The CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. This allows an attacker to inject spreadshee...

Linux Distros Unpatched Vulnerability : CVE-2026-35233

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of- range shlink field. When root-level dtrace attaches to...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.10) +20 more potentially affected by CVE-2026-44118 via openclaw (>=2026.3.22 <=2026.4.21)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 - @xmoxmo/bncr =0.0.8 - morpho-vault-manager =0.1.0 and more Source cves: CVE-2026-44118 Source advisory: SNYK:JS-OPENCLAW-16417712...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.10) +20 more potentially affected by CVE-2026-44997 via openclaw (>=2026.3.22 <=2026.4.21)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =27.2.5, =1.1.0, =2.1.3, =2026.3.24-3, =0.14.39, =0.1.0, =0.1.1, =0.2.18 - @xmoxmo/bncr =0.0.8 - morpho-vault-manager =0.1.0 and more Source cves: CVE-2026-44997 Source advisory: SNYK:JS-OPENCLAW-16417713...

GHSA-XJ4F-8JJG-VX4Q OpenMRS has Stored Velocity SSTI to RCE via ConceptReferenceRange

Impact The ConceptReferenceRangeUtility.evaluateCriteria method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default...

ae.teletronics.nlp:entityextraction (=1.3), ai.aletyx.kogito:aletyx-kogito-ai-addons-quarkus-adhoc-subprocess (>=0.1.0 <=0.2.0) +1738 more potentially affected by CVE-2026-42027 via org.apache.opennlp:opennlp-tools (>=1.5.2-incubating <=2.5.8)

org.apache.opennlp:opennlp-tools MAVEN version =1.5.2-incubating, =0.1.0, =0.1.0, =2.12.1, =2.12.1, =19.9.0, =19.9.1, =19.9.1, =19.9.0, =19.9.0, =19.9.0, =19.9.0, =26.3.2 and more Source cves: CVE-2026-42027 Source advisory: OSV:GHSA-CX4M-2P55-RW7J...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-26332 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-26332 Source advisory: SNYK:JS-VM2-16419533...

UBUNTU-CVE-2026-37459

An integer underflow in FRRouting FRR stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service DoS via supplying a crafted BGP UPDATE message...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-24118 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-24118 Source advisory: SNYK:JS-VM2-16419418...

JLSEC-2026-386

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTPS redirects is used with authentication could leak credentials to other services that exist on different protocols ...

@puchunjie/doc-tools-mcp (>=1.0.11 <=1.0.14) potentially affected by CVE-2026-7738 via @puchunjie/doc-tools-mcp (=1.0.18)

@puchunjie/doc-tools-mcp NPM version =1.0.18 is affected by a known vulnerability. The following packages have a transitive dependency on @puchunjie/doc-tools-mcp and may be impacted: - @puchunjie/doc-tools-mcp =1.0.11, =1.0.14 Source cves: CVE-2026-7738 Source advisory:...

CVE-2026-29200

A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call...

Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel

CVE-2026-31431 "Copy Fail" — Safe Probe Suite !License: MIT...

ai-24sea (>=0.1.0 <=1.1.1), ai-documentation-writer (>=0.1.0 <=0.1.1) +31 more potentially affected by CVE-2026-7725 via prefect (>=3.0.0rc20 <=3.6.22)

prefect PYPI version =3.0.0rc20, =0.1.0, =0.1.0, =0.16.0, =0.6.1, =6.0.0, =1.0.1, =2.2.8, =2.25.0, =1.1.0, =1.3.0b5, =0.0.2, =0.1.11, =1.1.0, =2.3.0rc19 - mcp-prefect =0.1.0 and more Source cves: CVE-2026-7725 Source advisory: SNYK:PYTHON-PREFECT-16406537...

ai-24sea (>=0.1.0 <=1.1.1), ai-documentation-writer (>=0.1.0 <=0.1.1) +31 more potentially affected by CVE-2026-7724 via prefect (>=3.0.0rc20 <=3.6.22)

prefect PYPI version =3.0.0rc20, =0.1.0, =0.1.0, =0.16.0, =0.6.1, =6.0.0, =1.0.1, =2.2.8, =2.25.0, =1.1.0, =1.3.0b5, =0.0.2, =0.1.11, =1.1.0, =2.3.0rc19 - mcp-prefect =0.1.0 and more Source cves: CVE-2026-7724 Source advisory: SNYK:PYTHON-PREFECT-16383760...

abm-colony-collection (>=0.1.0 <=0.5.0), abm-initialization-collection (>=0.1.0 <=0.7.0) +108 more potentially affected by CVE-2026-7724 via prefect (>=0.9.2 <=3.6.22)

prefect PYPI version =0.9.2, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.16.0, =0.0.126, =0.1.0, =1.0.4, =3.4.0, =0.4.0b0, =0.1.11, =0.1.0, =0.5.0 and more Source cves: CVE-2026-7724 Source advisory: OSV:GHSA-P3PQ-HXMR-VQQR...