CVE-2026-4515 Foundation Agents MetaGPT operator.py code_generate code injection

A vulnerability has been found in Foundation Agents MetaGPT up to 0.8.1. This affects the function codegenerate of the file metagpt/ext/aflow/scripts/operator.py. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public...

CVE-2026-32044

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing...

PT-2026-26897

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an...

CVE-2026-33424 PM access granted through invites after access revocation

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an attacker can grant access to a private message topic through invites even after they lose access to that PM. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. No know...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. They contain malicious code, and its content was NOT yet...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The publishing pipeline of this package was compromised as the result of Trivy's GitHub Actions compromise and a malicious versions were released on NPM. They contain malicious code, and its content was NOT yet...

CVE-2026-33147 GMT: Stack-based Buffer Overflow in gmt_remote_dataset_id

GMT is an open source collection of command-line tools for manipulating geographic and Cartesian data sets. In versions from 6.6.0 and prior, a stack-based buffer overflow vulnerability was identified in the gmtremotedatasetid function within src/gmtremote.c. This issue occurs when a specially...

CVE-2026-4500

Summary: CVE-2026-4500 affects bagofwords1 bagofwords (up to 0.0.297). The vulnerability targets the function generate_df in backend/app/ai/code_execution/code_execution.py, enabling injection via manipulation of inputs. The attack could be launched remotely and an exploit is publicly available. ...

CVE-2026-32318

Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Befo...

EUVD-2026-13758

A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been release...

axondeepseg (>=5.0.2 <=5.5.0rc2), bids-manager (>=0.1.0 <=1.0.0) +22 more potentially affected by CVE-2026-32711 via pydicom (>=3.0.0rc1 <=3.0.1)

pydicom PYPI version =3.0.0rc1, =5.0.2, =0.1.0, =1.0.0, =0.1.0, =0.1.8, =0.0.8, =0.0.12 and more Source cves: CVE-2026-32711 Source advisory: SNYK:PYTHON-PYDICOM-15756938...

Improper Access Control.

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to inadequate enforcement of branch deletion permissions after merging a pull request, which allows an attacker to delete branches without proper authorization...

CVE-2026-33125

Frigate (NVR for IP cameras) has a broken access control vulnerability: in versions ≤0.16.2, users with the viewer role can delete admin and other low-privileged accounts via the API, potentially causing denial of service and compromising data integrity. The issue is addressed in version 0.16.3. ...

CVE-2026-33125 Frigate Broken Access Control: Users assigned the viewer role can delete admin and other low-privileged accounts

Frigate is a network video recorder NVR with realtime local object detection for IP cameras. In versions 0.16.2 and below, users with the viewer role can delete admin and low-privileged user accounts. Exploitation can lead to DoS and affect data integrity. This issue has been patched in version...

Malicious code in decode-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 44106748430b9007ab9f143fb8ba25fdd44592016d53029e790975d65bbe5825 The package decode-sdk was found to contain malicious code. Source: ghsa-malware 2a2fc9cdfc8d668581e87f6da2c920cf8a1748aa191910ac5db053a46cbc2282 Any...

MAL-2026-1940 Malicious code in @validates-sdk/v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f6dc99183ad11d3293d19966af14cd33cf7ed4ad00f3de9d6f07e5842a9234 The package @validates-sdk/v3 was found to contain malicious code. Source: ghsa-malware...

CVE-2026-32940

SiYuan Note's CVE-2026-32940 affects versions 3.6.0 and below where SanitizeSVG's blocklist is incomplete, allowing a click-through XSS via the unauthenticated /api/icon/getDynamicIcon endpoint. The endpoint echoes user-controlled input (content) directly into SVG markup using fmt.Sprintf with no...

GHSA-WGVC-GHV9-3PMM vulnerabilities

Vulnerabilities for packages: apache-beam-python-3.12-sdk...

[SECURITY] Fedora 43 Update: dotnet10.0-10.0.104-1.fc43

.NET is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET contains a runtime conforming to .NET Standards a set of framework...

UBUNTU-CVE-2026-22735

Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events SSE. This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46...