PT-2026-34844

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..."...

EUVD-2026-9212

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3...

ComfyUI-Manager is Vulnerable to CRLF Injection in Configuration Handler

Impact Vulnerability Type: CRLF Injection via ConfigParser An attacker can inject special characters into HTTP query parameters to add arbitrary configuration values to the config.ini file. This can lead to security setting tampering or modification of application behavior. Affected Users: Users...

GHSA-2R4H-8JXV-W2J8 CKAN vulnerable to stored XSS in resource description

Impact The helpers.markdownextract function did not perform sufficient sanitization of input data before wrapping in an HTML literal element. This helper is used to render user-provided data on dataset, resource, organization or group pages plus any page provided by an extension that used that...

EUVD-2025-0053

Malicious code in bioql PyPI...

CLSA-2025-1744727573 Fix CVE(s): CVE-2024-5594

SECURITY UPDATE: Improper PUSHREPLY sanitization allows attackers to inject arbitrary data into third-party executables - debian/patches/CVE-2024-5594.patch: Properly handle null bytes and invalid characters in control - CVE-2024-5594...

CLSA-2025-1741216285 Fix CVE(s): CVE-2024-47175

SECURITY UPDATE: PPD injection issues - debian/patches/CVE-2024-47175.patch: sanitize make and model, PPDize preset and template names in cups/ppd-cache.c - CVE-2024-47175...

CVE-2025-21628

Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of queryoperator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by addi...

CVE-2024-1691

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping...

CVE-2020-1205

A spoofing vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The...