Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007430)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007430 advisory. In the Linux kernel, the following vulnerability has been resolved: fs/proc: dotaskstat: use sig-statslock to gather the threads/children stats locktasksighand can...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007363)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007363 advisory. In the Linux kernel, the following vulnerability has been resolved: parisc: led: Fix potential null-ptr-deref in starttask starttask calls createsinglethreadworkqueu...

SUSE CVE-2026-33212

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

Authorization Bypass Through User-Controlled Key

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the API for pending tasks due to missing verification of user access. An attacker can...

Weblate: Improper access control for pending tasks in API

Impact The API for tasks didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. Patches https://github.com/WeblateOrg/weblate/pull/18515 Workarounds The attacker needs to guess the random UUID of the task, so...

EUVD-2026-22997

Weblate: Improper access control for pending tasks in API...

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

EUVD-2026-23233

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

CVE-2026-31987

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...

python3 security update

3.6.8-21.0.9 - Security update CVE-2025-15366, CVE-2025-15367, CVE-2026-1299 Orabug: 39159999 3.6.8-21.0.7 - Security update CVE-2025-12084 Orabug: 38971895 3.6.8-21.0.5 - tarfile now validates archives to ensure member offsets are non-negative Orabug: 38442771CVE-2025-8194 3.6.8-21.0.3 - Fix DoS...

MAL-2026-2884 Malicious code in forge-jsx (npm)

forge-jsx is a malicious npm package that impersonates an Autodesk Forge SDK. It was published as a fully-formed RAT from its first version on April 7, 2026. Installing the package on any non-CI machine deploys a persistent background agent that captures all keystrokes, monitors clipboard content...

GHSA-CW73-5F7H-M4GV Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

Upsonic: remote code execution vulnerability in its MCP server/task creation functionality

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

CVE-2026-33212

Weblate is a web based localization tool. In versions prior to 5.17, the tasks API didn't verify user access for pending tasks. This could expose logs of in-progress operations to users who don't have access to given scope. The attacker needs to brute-force the random UUID of the task, so...

CVE-2026-33212

CVE-2026-33212 affects Weblate (web-based localization tool). The vulnerability lies in the tasks API where, in versions prior to 5.17, access control for pending tasks was not enforced, potentially exposing in-progress task logs to users without the proper scope. The attack requires brute-forcin...

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

Upsonic 安全漏洞

Upsonic is an open-source AI proxy framework developed by Upsonic. Version 0.71.6 of Upsonic contains a security vulnerability. This vulnerability stems from defects in the MCP server or the task creation functionality, which may lead to remote code execution...

[20260513] - Core - Privilege escalation through com_users batch task

An improper access check allows privlege escalation through the comusers batch task...

PT-2026-33073

Name of the Vulnerable Software and Affected Versions Upsonic versions prior to 0.72.0 Description An issue exists in the MCP server/task creation functionality where users can define MCP tasks with arbitrary command and args values. While an allowlist is in place, certain permitted commands such...

CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...