EUVD-2026-33705

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if lang is used in the template directory config value, non-admin users can in some cases copy arbitrary files depending on unix permissions into...

NextCloud Teams security vulnerabilities

NextCloud Teams is an open-source team collaboration and group management tool developed by NextCloud. There were security vulnerabilities in versions of NextCloud Teams from 32.0.0 to 32.0.7, and from 33.0.0 to 33.0.1. These vulnerabilities stemmed from the absence of API-level access checks,...

CVE-2024-28765

IBM SDI 7.2.0.0 through 7.2.0.14 and IBM Security Directory Integrator 10.0.0.0 through 10.0.0.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system...

CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

PT-2026-39905

Name of the Vulnerable Software and Affected Versions TanStack packages affected versions not specified Description A supply chain attack known as Mini Shai-Hulud targeted 42 @tanstack/ packages, resulting in the publication of 84 malicious versions to the npm registry. The attacker gained...

CVE-2026-6907

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. django.middleware.cache.UpdateCacheMiddleware erroneously caches requests where the Vary header contained an asterisk ''. This can lead to private data being stored and served. Earlier, unsupported Django series such as 5.0.x,...

CVE-2026-5766

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. ASGI requests with a missing or understated Content-Length header can bypass the FILEUPLOADMAXMEMORYSIZE limit, potentially loading large files into memory and causing service degradation. As a reminder, Django expects a limit to ...

CVE-2026-2311

IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 s vulnerable to privilege escalation caused by an invalid IBM i Web Administration GUI authorization check. A malicious actor could cause user-controlled code to run with administrator privilege...

`safe-agent-rs` was removed from crates.io for being affiliated with malicious code

While safe-agent-rs did not directly contain malicious code, it was owned by the same user as pretty-changelog-logger and microsoftsystem64. safe-agent-rs also appeared to be imitating a different websocket library. We decided to remove it out of an abundance of caution. This crate had 2 versions...

RUSTSEC-2026-0101 `safe-agent-rs` was removed from crates.io for being affiliated with malicious code

While safe-agent-rs did not directly contain malicious code, it was owned by the same user as pretty-changelog-logger and microsoftsystem64. safe-agent-rs also appeared to be imitating a different websocket library. We decided to remove it out of an abundance of caution. This crate had 2 versions...

`logtrace` was removed from crates.io for malicious code

logtrace appeared to be downloading a RAT. The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io. Thanks to Socket.dev for detecting and reporting this to the crates.io team!...

SOUND4多款产品 操作系统命令注入漏洞

SOUND4 IMPACT and others are products of SOUND4, a French company.SOUND4 IMPACT is a professional broadcast audio processor.SOUND4 FIRST is a broadcast audio processor.SOUND4 PULSE is an audio processor. An operating system command injection vulnerability exists in several SOUND4 products that...

EUVD-2025-29494

Malicious code in bioql PyPI...

CVE-2025-34521 Arcserve UDP < 10.2 Reflected Cross-Site Scripting (XSS)

A reflected cross-site scripting XSS vulnerability exists in the web interface of the Arcserve Unified Data Protection UDP, where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by...

PT-2025-7828 · Unknown · Videowhisper Live Streaming Integration

Name of the Vulnerable Software and Affected Versions: VideoWhisper Live Streaming Integration versions n/a through 6.2 Description: The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows unauthorized access to files and...

PT-2024-18447 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 8.1.x through 8.1.8 Mattermost versions 9.2.x through 9.2.4 Mattermost version 9.3.0 Mattermost versions 9.4.x through 9.4.1 Description: The issue allows an authenticated attacker to cause the server to run out of memory...

PT-2023-30791 · Unknown · Mike Strand Bulk Comment Remove

Name of the Vulnerable Software and Affected Versions: Mike Strand Bulk Comment Remove versions prior to 2 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability, which allows an attacker to perform unauthorized actions on a user's account. This is achieved by tricking the user...

PT-2023-24477

Name of the Vulnerable Software and Affected Versions Zekiweb versions prior to 2 Description The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. Recommendations For versions prior...

Sitecore Experience Platform 路径遍历漏洞

Sitecore Experience Platform XP is a suite of customer digital experience platforms from Sitecore, Denmark. A security vulnerability exists in Sitecore Experience Platform 10.2 and prior versions, which stems from a directory traversal vulnerability that could allow an authenticated, remote...

PIXELA CORPORATION PIX-RT100 操作系统命令注入漏洞

The PIXELA CORPORATION PIX-RT100 is a home router from PIXELA CORPORATION, Japan. A security vulnerability exists in the PIXELA CORPORATION PIX-RT100 RT100TEQ2.1.1EQ101 and RT100TEQ2.1.2EQ101 versions. A network neighboring attacker can execute arbitrary operating system commands via product...