PT-2026-45267

A weakness has been identified in NousResearch hermes-agent up to 2026.4.30. This affects the function scan memory content of the file tools/memory tool.py. This manipulation causes injection. The attack can be initiated remotely. The exploit has been made available to the public and could be use...

Lightweight Music Server (LMS) 3.76.0 (metadata) Stored XSS

Summary LMS Lightweight Music Server: A specific C++ based project focused on a low memory footprint, featuring built-in user management and a recommendation engine. Description LMS stores media file metadata tags such as GENRE, ARTIST, and ALBUM exactly as written in the file and later renders...

SUSE CVE-2026-45861

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qdput Commit a475c5dd16e5 "gfs2: Free quota data objects synchronously" started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed ...

TrendAI Vision One Security Agent Time-Of-Check Time-Of-Use Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of TrendAI Vision One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within th...

CVE-2026-45087 Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options...

EUVD-2026-32615

Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, when dalfox is started in REST API server mode dalfox server, the server binds to 0.0.0.0:6664 by default and requires no API key unless the operator explicitly passes --api-key. Because model.Options...

CVE-2026-46017 mm: fix deferred split queue races during migration

In the Linux kernel, the following vulnerability has been resolved: mm: fix deferred split queue races during migration migratefoliomove records the deferred split queue state from src and replays it on dst. Replaying it after removemigrationptessrc, dst, 0 makes dst visible before it is requeued...

CVE-2026-45861

CVE-2026-45861 refers to a Linux kernel vulnerability in the GFS2 file system. The root cause is a slab-use-after-free: during filesystem shutdown, quota data objects were freed without being removed from the LRU list due to the change in the a475c5dd16e5 sequence. As a result, the shrinker (gfs2...

CVE-2026-45861 gfs2: Fix slab-use-after-free in qd_put

In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix slab-use-after-free in qdput Commit a475c5dd16e5 "gfs2: Free quota data objects synchronously" started freeing quota data objects during filesystem shutdown instead of putting them back onto the LRU list, but it failed ...

Linux Distros Unpatched Vulnerability : CVE-2026-45999

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - erofs: fix unsigned underflow in zerofslz4handleoverlap Some crafted images can have illegal !partialdecoding && mllen out access reads past the decompressedpag...

RayVentory Scan Engine 安全漏洞

RayVentory Scan Engine is a network scanning engine developed by the German company RayVentory, designed for automatically discovering and collecting IT asset information. Version 12.6.4392.49 of the RayVentory Scan Engine contains a security vulnerability. This vulnerability stems from parameter...

CVE-2026-44444

Lumiverse before 0.9.7: the Spindle extension build pipeline runs bun install without --ignore-scripts prior to the static backend safety scan (assertSafeBackendBundle). A malicious extension containing a package.json with preinstall, postinstall, or prepare lifecycle scripts can achieve host‑lev...

CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

PT-2026-43400

Name of the Vulnerable Software and Affected Versions Lumiverse versions prior to 0.9.7 Description The Spindle extension build pipeline executes bun install without the --ignore-scripts flag before performing the static backend safety scan via the assertSafeBackendBundle function. This allows a...

-authencesn-poc

authencesn-poc Mrowl made by c0redev https://unitdev.run...

Exploit for Deserialization of Untrusted Data in Facebook React

CVE-2025-55182 - React2shell A Python 2.7 exploit for CVE-2...

Exploit for CVE-2026-42945

NGINX Rift — CVE-2026-42945 Vulnerability Scanning and Verific...

CVE-2026-9366

A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function scancontextcontent of the file agent/promptbuilder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The...

EUVD-2026-31580

A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function scancontextcontent of the file agent/promptbuilder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The...