CVE-2026-39842 OpenRemote is Vulnerable to Expression Injection

OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the server. The JavaScript rules engine executes user-supplied scripts via Nashorn's ScriptEngine.eval...

Mozilla Firefox < 1.5.0.4

The version of Firefox installed on the remote Windows host is prior to 1.5.0.4. It is, therefore, affected by a vulnerability as referenced in the mfsa2006-31 advisory. - EvalInSandbox in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to gain privileges via javascript tha...

Security Bulletin: Vulnerability in Jinja2 affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-56326, CVE-2024-56201]

Summary The Jinja2 package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-56326, CVE-2024-56201 Vulnerability Details CVEID:CVE-2024-56326 DESCRIPTION: Jinja is an extensible templating engine. Prior to 3.1.5, An oversig...

CVE-2025-66479

Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the...

PT-2025-49149

Name of the Vulnerable Software and Affected Versions Anthropic Sandbox Runtime versions prior to 0.0.16 Description Anthropic Sandbox Runtime is a sandboxing tool designed to enforce filesystem and network restrictions on processes. Prior to version 0.0.16, a flaw in the sandboxing logic allowed...

GHSA-W5FX-FH39-J5RW Codex has sandbox bypass due to bug in path configuration logic

Due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This logic bypassed the intended workspace boundary and enables arbitrary file writes and comman...

Designing sockfuzzer, a network syscall fuzzer for XNU

Posted by Ned Williamson, Project Zero Introduction When I started my 20% project – an initiative where employees are allocated twenty-percent of their paid work time to pursue personal projects – with Project Zero, I wanted to see if I could apply the techniques I had learned fuzzing Chrome to...

UBUNTU-CVE-2019-5756

Inappropriate memory management when caching in PDFium in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file...

Fedora 28 : flatpak (2018-4d68cf2b1c)

flatpak 1.0.6 release. This release fixes an issue that lets system-wide installed applications create setuid root files inside their app dir somewhere in /var/lib/flatpak/app. Setuid support is disabled inside flatpaks, so such files are only a risk if the user runs them manually outside flatpak...

Fedora 29 : flatpak (2018-009a65a873)

flatpak 1.0.5 release. There was a sandbox bug in the previous version where parts of the runtime /etc was not mounted read-only. In case the runtime was installed as the user not the default this means that the app could modify files on the runtime. Nothing in the host uses the runtime files, so...