ai.agentican:agentican-quarkus-otel (>=0.1.0-alpha.1 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-otel-store-jpa (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +10709 more potentially affected by CVE-2026-45292 via io.opentelemetry:opentelemetry-api (>=0.2.0 <=1.61.0)

io.opentelemetry:opentelemetry-api MAVEN version =0.2.0, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.21.0-alpha.2, =0.1.1, =0.1.1, =0.1.1, =0.0.1, =3.10.0.5, =1.0.0, =1.0.0, =0.3.0, =1.0.0, =1.0.0-beta, =1.0.0-beta-preview7 and more Source cves: CVE-2026-45292 Source...

MAL-2026-2508 Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .appe...

PT-2026-25085

Summary The telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append method documented as "trusted SQL". There is no allowlist, no parameterized...

CVE-2024-32890

librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It...

CVE-2024-32890 Stored Cross-site Scripting in results JSON API in librespeed/speedtest

librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It...

CVE-2024-32890 Stored Cross-site Scripting in results JSON API in librespeed/speedtest

librespeed/speedtest is an open source, self-hosted speed test for HTML5. In affected versions missing neutralization of the ISP information in a speedtest result leads to stored Cross-site scripting in the JSON API. The processedString field in the ispinfo parameter is missing neutralization. It...

PT-2024-24943 · Unknown · Librespeed Speedtest

Name of the Vulnerable Software and Affected Versions: librespeed/speedtest versions 5.2.5 through 5.3.0 Description: The issue arises from missing neutralization of the ISP information in a speedtest result, leading to stored Cross-site scripting in the JSON API. The processedString field in the...