SUSE CVE-2026-49128

Music Player Daemon MPD before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk path is constructed by joining the storage root with a user-supplied URI as plain strings without...

PT-2026-45095

Name of the Vulnerable Software and Affected Versions Linux Kernel affected versions not specified Description A Use-After-Free UAF issue exists in the eventpoll component. The ep remove function via ep remove file clears file-f ep under file-f lock but continues to use the file variable within t...

MGB OpenSource Guestbook SQL注入漏洞

MGB OpenSource Guestbook is an open-source web-based message board system developed by MGB OpenSource. Version 0.7.0.2 of MGB OpenSource Guestbook has a SQL injection vulnerability. This vulnerability arises from injecting malicious code through the id parameter, which may allow unauthenticated...

Chromium: CVE-2026-10017 Out of bounds read in Headless

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9996 Out of bounds read in WebRTC

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9975 Out of bounds read and write in ANGLE

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9928 Out of bounds read in ANGLE

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9908 Out of bounds read in ANGLE

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9907 Out of bounds read in Dawn

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

Chromium: CVE-2026-9895 Out of bounds read in GPU

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate

Summary The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcpserver/adapters/clitools.py: "registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and...

GHSA-FP6W-8WPG-74G5 stigmem-node: Auth-disabled deployments may grant broad anonymous access outside loopback

Impact Stigmem nodes configured with authentication disabled could grant the anonymous identity broad read/write/federation capabilities if exposed outside a loopback-only local development environment. Impacted users are operators who intentionally disabled authentication while binding the node ...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the Decoding process of BMP files containing a palette with out-of-range indices. An attacker can cause a panic and potentially disrupt application availability by supplying a crafted BMP file with invalid palette...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the Decoding process of BMP files containing a palette with out-of-range indices. An attacker can cause a panic and potentially disrupt application availability by supplying a crafted BMP file with invalid palette...

CVE-2026-4387

StrongDM Desktop Application before 23.74.0 Desktop Client before 53.77.0 on Microsoft Windows stores authentication state, including a JSON Web Token and asymmetric key material, in cleartext in a per-user state file located at C:\Users\.sdm\state.kv. The file is protected only by default...

CVE-2026-47744

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, two distinct authorization defects in the team settings allowed any authenticated panel user to take over the RBAC system. Settings/Team/Index had no mount authorization. Any authenticated user could load the page and use its public...

CVE-2026-47740

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

GHSA-6M57-8R3P-PQX6 unbounded-spsc: Sender::send pointer-as-value transmute causes OOB read and fake-Arc drop under TX/RX race

Summary Sender::send in src/lib.rs contains an unsafe block in the DISCONNECTED arm that transmutes a raw pointer mut Producer into the bytes of a value-level Consumer. The author's intent, visible in the surrounding comment at lines 386-390, was a value transmute. The shipped code is one level o...

Incomplete List of Disallowed Inputs

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the NodeVM builtin allowlist in lib/builtin.js. An attacker can read host-process state by...

CVE-2026-47179

Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because...