134 matches found
PT-2026-43388
A flaw has been found in itsourcecode Student Transcript Processing System 1.0. This vulnerability affects unknown code of the file /admin/modules/student/trans.php. Executing a manipulation of the argument studentId/cid can lead to sql injection. The attack can be launched remotely. The exploit...
itsourcecode Student Transcript Processing System SQL注入漏洞
itsourcecode Student Transcript Processing System is an open-source student transcript processing system developed by itsourcecode. Version 1.0 of the itsourcecode Student Transcript Processing System has a SQL injection vulnerability. This vulnerability arises from improper handling of the...
PT-2026-43389
A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0. This issue affects some unknown processing of the file /admin/modules/class/index.php?view=view. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit h...
MAL-2026-4423 Malicious code in @refactco/refact-os (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 072881a1fd9241acfcd601ad5387b0338a26ff4828763658c3840b43a3cedb1c Running this package's refact-os init CLI scaffolds AI-editor hook configurations .claude/settings.json, .cursor/hooks.json and copies two Python hoo...
Malicious code in @refactco/refact-os (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 072881a1fd9241acfcd601ad5387b0338a26ff4828763658c3840b43a3cedb1c Running this package's refact-os init CLI scaffolds AI-editor hook configurations .claude/settings.json, .cursor/hooks.json and copies two Python hoo...
GHSA-VJ64-RJF3-W3V7 Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...
Plonky3 MultiField32Challenger: transcript malleability and challenge entropy loss
Impact - Key: challenger/src/multifieldchallenger.rs | MultiField32Challenger::duplexing | transcriptmalleability - Affected files: challenger/src/multifieldchallenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed fiel...
PT-2026-42695
Impact - Key: challenger/src/multi field challenger.rs | MultiField32Challenger::duplexing | transcript malleability - Affected files: challenger/src/multi field challenger.rs, field/src/helpers.rs - Violated invariant: The Fiat-Shamir sponge must bind challenges to the exact sequence of observed...
CVE-2026-47091
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...
EUVD-2026-30800
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...
CVE-2026-47091
Claude HUD up to version 0.0.12 is affected by a path traversal flaw exposed by an unvalidated transcript_path in stdin JSON. The vulnerability lets an attacker read arbitrary files readable by the process, and the accessed file metadata is written to a persistent cache file with insufficient per...
CVE-2026-47091 Claude HUD 0.0.12 Path Traversal via transcript_path
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...
CVE-2026-47091 Claude HUD 0.0.12 Path Traversal via transcript_path
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...
CVE-2026-47091
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcriptpath value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a...
PT-2026-41731
Name of the Vulnerable Software and Affected Versions Claude HUD versions 0.0.0 through 0.0.12 Description A path traversal issue allows attackers to read arbitrary files by providing an unvalidated transcript path value via stdin JSON. This enables access to any file readable by the process...
CVE-2026-30635
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...
GHSA-64VR-4GR2-M642 automagik-genie has a command injection vulnerability
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...
automagik-genie has a command injection vulnerability
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...
EUVD-2026-29159
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...
CVE-2026-30635
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the viewtask aka view in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGEBASEURL...