CVE-2026-6859

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859

CVE-2026-6859 is a Red Hat advisory about a flaw in InstructLab where linux_train.py hardcodes trust_remote_code=True when loading models from HuggingFace. This enables arbitrary Python code execution if a user runs ilab train/download/generate with a malicious HuggingFace model, potentially lead...

Embedded Malicious Code

Overview xinference is a powerful and versatile library designed to serve language, speech recognition, and multimodal models. With Xorbits Inference, you can effortlessly deploy and serve your or state-of-the-art built-in models using just a single command. Whether you are a researcher, develope...

RUSTSEC-2026-0107 `mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

`mysten-metrics` was removed from crates.io for malicious code

mysten-metrics included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

SUSE-SU-2026:21374-1 Security update for erlang

This update for erlang fixes the following issues: Security issues fixed: - CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote arbitrary reads/writes bsc1258663. - CVE-2026-23941: improper handling of duplicate Content-Length headers in...

OPENSUSE-SU-2026:20607-1 Security update for erlang

This update for erlang fixes the following issues: Security issues fixed: - CVE-2026-21620: improper isolation and compartmentalization can lead to TFTP relative path traversal and remote arbitrary reads/writes bsc1258663. - CVE-2026-23941: improper handling of duplicate Content-Length headers in...

CVE-2026-1395

The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's blockid attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduce...

EUVD-2026-24702

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

EUVD-2026-24686

The Bread & Butter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'breadbutter-customevent-button' shortcode in all versions up to, and including, 8.2.0.25. This is due to insufficient input sanitization and output escaping on the 'event' shortcode attribute. The...

EUVD-2026-24656

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

EUVD-2026-24644

The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...

EUVD-2026-24648

The ER Swiffy Insert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the swiffy shortcode in all versions up to and including 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes 'n', 'w', 'h'. These attributes are...

EUVD-2026-24635

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

CVE-2026-6041

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2026-4142

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...

CVE-2026-5820

The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via innerText and inserting it into the page using innerHTML...

CVE-2026-4089

The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttttwitteetweeter...

CVE-2026-4090

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...