CVE-2026-42088 OpenC3 COSMOS: Administrative Actions via the Script Runner Tool

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Python and Ruby scripts directly from the openc3-COSMOS-script-runner-api container. Because all the...

EUVD-2026-27063

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability exists in the Time-Series Database TSDB component of COSMOS. The tsdblookup function in the...

CVE-2026-42087

OpenC3 COSMOS TSDB is affected by a SQL injection in the tsdb_lookup function of cvt_model.rb, where user-supplied input is directly placed into a SQL query. Affected versions are 6.7.0 through 7.0.0-rc2 (before the patched 7.0.0-rc3). This allows an attacker to break out of the initial SQL state...

EUVD-2026-22714

Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting XSS vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the...

PT-2026-32915

Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs...

CVE-2026-32893

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting XSS vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $GET parameters v...

CVE-2026-32893

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting XSS vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $GET parameters v...

PT-2026-32024

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5time + user id 5 - rand10000, 10000. The rand10000, 10000 call always returns exactly 10000 min == max, making the formula effectively md5timestamp + user id5 - 10000. An attacker wh...

CVE-2026-1839 Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-001562)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001562 advisory. A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific...

PT-2025-52983

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.4.0-rc3 Description A use-after-free issue exists in the Linux kernel related to the handling of OPP Operational Power Policy tables after probe deferral. Specifically, when dev pm opp of find icc paths in...

PT-2025-53030

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.0.0-rc3 for upstream debug 2022 08 30 13 10 Description The Linux kernel contains a flaw in the mlx5 module related to asynchronous command handling. Specifically, a race condition in mlx5 cmd cleanup async ctx...

EUVD-2018-8230

Malware in sbrugna...

CVE-2025-58450 pREST has Systemic SQL Injection Vulnerability

pREST PostgreSQL REST, is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0.0-rc3 contains a...

CVE-2025-58450 pREST has Systemic SQL Injection Vulnerability

pREST PostgreSQL REST, is an API that delivers an application on top of a Postgres database. SQL injection is possible in versions prior to 2.0.0-rc3. The validation present in versions prior to 2.0.0-rc3 does not provide adequate protection from injection attempts. Version 2.0.0-rc3 contains a...

PT-2024-37055

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.12.0-rc3 Description A potential deadlock issue has been identified in the Linux kernel's f2fs subsystem. The issue arises from a possible circular locking dependency detected in the f2fs record stop reason...

SUSE CVE-2019-19481

An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0.20.0-rc3. libopensc/card-cac1.c mishandles buffer limits for CAC certificates...

DEBIAN-CVE-2021-3679

A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users with CAPSYSADMIN capability could use this flaw to starve the resources causing denial of service...

DEBIAN-CVE-2018-16384

A SQL injection bypass aka PL1 bypass exists in OWASP ModSecurity Core Rule Set owasp-modsecurity-crs through v3.1.0-rc3 via ab where a is a special function name such as "if" and b is the SQL statement to be executed...

PT-2011-2011 · Best Practical Solutions · Rt

Name of the Vulnerable Software and Affected Versions: Best Practical Solutions RT versions 3.x through 3.8.9rc1 Best Practical Solutions RT versions 4.x through 4.0.0rc3 Description: The issue makes it easier for attackers to determine cleartext passwords via a brute-force attack on the database...