211 matches found
CVE-2026-5674
A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library,...
BIT-ENVOY-2026-48706 Envoy Heap Buffer Overflow in TcpStatsdSink
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...
CVE-2026-55223 c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection and ConnectionPoolDataSource.getPooledConnection match the getXXX form, so JavaBean...
CVE-2026-55223 c3p0 exposes a deserialization "sink" via JDBC DataSource bean properties
c3p0 is a JDBC Connection pooling library. In versions prior to 0.14.0, c3p0 in combination with other libraries, can compose to a "sink" for deserialization gadgets. The JDBC spec's DataSource.getConnection and ConnectionPoolDataSource.getPooledConnection match the getXXX form, so JavaBean...
CVE-2026-48706
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...
EUVD-2026-39825
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...
CVE-2026-48706 Envoy Heap Buffer Overflow in TcpStatsdSink
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...
CVE-2026-48706
CVE-2026-48706 affects Envoy TCP StatsD sink (TcpStatsdSink). A heap write overflow can occur when processing extremely long statistic names (>16 KiB) due to mismanagement of 16 KiB flush slices during buffer rotation, potentially causing process crash or remote code execution. Affected versio...
PT-2026-52891
Name of the Vulnerable Software and Affected Versions Envoy versions 1.34.0 through 1.35.12 Envoy versions 1.36.0 through 1.36.8 Envoy versions 1.37.0 through 1.37.4 Envoy versions 1.38.0 through 1.38.2 Description A heap write overflow exists in the TCP StatsD sink TcpStatsdSink when processing...
GHSA-WC3F-XC32-435F AVideo has an incomplete fix of CVE-2026-33482: sanitizeFFmpegCommand still allows a single '&' (background operator), giving OS command execution at the same execAsync sh -c sink
Summary The fix for CVE-2026-33482 GHSA-pmj8-r2j7-xg6c is incomplete. That advisory reported that sanitizeFFmpegCommand plugin/API/standAlone/functions.php failed to strip $... command substitution, allowing OS command injection at the execAsync sh -c sink. The fix commit 25c8ab90 added $, , , , ...
CVE-2026-12046
Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/ and POST /sqleditor/initialize/sqleditor/updateconnection/// -- were the only routes in the module missing the @pgaloginrequired decorator. Both reach a pickle.loads sink on session'gridData''commandobj':...
CVE-2026-12046
Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/ and POST /sqleditor/initialize/sqleditor/updateconnection/// -- were the only routes in the module missing the @pgaloginrequired decorator. Both reach a pickle.loads sink on session'gridData''commandobj':...
CVE-2026-54419
PIAF-HMS (PBX-In-A-Flash Hotel Management System) contains multiple unauthenticated SQL injection vulnerabilities. The app has no authentication and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or param...
CVE-2026-45564
CVE-2026-45564 affects Roxy-WI web interface for managing HAProxy/Nginx/Apache/Keepalived. In versions up to and including 8.2.6.4, POST /config/versions////save interpolates the URL-path parameter directly into a config-version path that resolves to a shell command: os.system("dos2unix -q {cfg}...
PT-2026-48600
Name of the Vulnerable Software and Affected Versions PDM versions prior to 2.28.0-1.1 Description PDM writes project-local state and configuration files without symlink protection, allowing a malicious repository to use symlinks to overwrite files outside the repository root. This creates an...
Malicious code in @klapp-sca/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 495f510483f297a56d545e8555db20eb54569f904bfd71853e54a18d89812cb0 package.json declares "preinstall": "node index.js || true", so on every npm install the bundled index.js runs automatically and collects os.hostname...
MAL-2026-5417 Malicious code in @klapp-sca/routes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 495f510483f297a56d545e8555db20eb54569f904bfd71853e54a18d89812cb0 package.json declares "preinstall": "node index.js || true", so on every npm install the bundled index.js runs automatically and collects os.hostname...
MAL-2026-5391 Malicious code in @0xlr/vercel-analytics (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fda046018b2c121cb96e157cadce6d8aee695beb7086008140da0a9c6eebc938 On npm install, postinstall.js enumerates every process.env variable including credentials such as AWS, NPMTOKEN, GITHUBTOKEN and other CI tokens and...
PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution
Summary The first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain: 1. The example exposes an A2A server without configuring authtoken. 2. The same example binds the server to 0.0.0.0. 3. The example registers a calculateexpression tool...
PT-2026-45044
Summary When debug logging is enabled, Session::setCookie logs full cookie values and Session::start logs the current session ID. In a real Admidio deployment this includes both the active session cookie and the persistent auto-login cookie. Anyone with access to the log sink can recover live...