119 matches found
CVE-2026-50136
Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require...
python3.9 security update
3.9.25-7.0.1 - Remove upstream URL reference 3.9.25-7 - Security fixes for CVE-2026-4786 and CVE-2026-6100 Resolves: RHEL-167919, RHEL-168161 3.9.25-6 - Security fix for CVE-2026-4519 Resolves: RHEL-158117 3.9.25-5 - Rebuilding previous fixes for different build target Related: RHEL-143117,...
MAL-2026-5354 Malicious code in defi-tools-39 (npm)
Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling c960+, byte-identical to swap-sdk-87. postinstall auto-execs, src/index.js harvests /.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894...
MINI-GFX8-XPFW-RC39
Bulletin has no description...
MINI-526Q-5PHR-8X39
Bulletin has no description...
MINI-GJ5M-278V-39HP
Bulletin has no description...
CVE-2026-48151
Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the bo...
CVE-2026-48153
Budibase: CVE-2026-48153 affects Budibase before 3.39.0. The OAuth2 SDK’s fetchToken makes a POST to a builder-supplied URL using plain node-fetch and bypasses the isBlacklisted outbound-fetch path check, and the OAuth2 URL Joi schema has no scheme/host restrictions. This enables SSRF to reach in...
CVE-2026-40610
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...
CVE-2026-43992
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool sendtokens, executecontract, instantiatecontract, uploadwasm, ibctransfer, etc. accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in th...
EUVD-2026-29541
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool sendtokens, executecontract, instantiatecontract, uploadwasm, ibctransfer, etc. accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in th...
GHSA-QCCP-GFCP-XXVC vulnerabilities
Vulnerabilities for packages: azureml-inference-server-http, authentik-fips, datahub-ingestion-fips, spamcheck, datahub-ingestion, ansible-operator, azure-functions-host, dbt-snowflake, gitlab-cng-fips, localstack, mlflow, py3-cassandra-medusa, datadog-agent, py3-pip, airflow-core, label-studio,...
SUSE: Security Advisory (SUSE-SU-2026:1296-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
CVE-2025-69893
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...
CVE-2025-69893
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...
PT-2026-32627
A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...
CVE-2025-69893
CVE-2025-69893 describes a side-channel vulnerability in BIP-39 mnemonic processing observed in Trezor hardware wallets (One v1.13.0–v1.14.0, T v1.13.0–v1.14.0, Safe v1.13.0–v1.14.0). The root cause is non-constant time execution and specific branch patterns during word search dictated by the BIP...
Security update for python39
This update for python39 fixes the following issues: CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of tar archives bsc1259611. CVE-2026-3644: incomplete control character validation in http.cookies can lead to input...
EUVD-2026-19728
Emissary has GitHub Actions Shell Injection via Workflow Inputs...
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...