guzzlehttp/psr7 has CRLF Injection via URI Host Component

Impact guzzlehttp/psr7 did not reject ASCII control characters, whitespace, or DEL in first-party URI host components. The issue requires a PSR-7 request to be serialized into a raw HTTP/1.x message, for example with GuzzleHttp\Psr7\Message::toString or an equivalent custom serializer. Creating a...

Next.js 跨站脚本漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.0.0 to 15.5.16, as well as versions before 16.2.5, have a cross-site scripting vulnerability. This vulnerability arises from the use of the beforeInteractive script when embedding trusted content, where the serialized...

CVE-2026-40933

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. The vulnerabilit...

CVE-2026-40933

Flowise: Authenticated RCE via MCP adapters. Prior to 3.1.0, unsafe serialization of stdio commands in the MCP adapter allows an authenticated attacker to add an MCP stdio server and run arbitrary OS commands, due to a bug in input sanitization in the Custom MCP configuration (http://localhost:30...

GHSA-C9GW-HVQQ-F33R Flowise: Authenticated RCE Via MCP Adapters

Summary Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution. Details The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration in...

CVE-2026-34601

CVE-2026-34601 affects the xmldom library (and @xmldom/xmldom) via a CDATA terminator handling flaw. Attacker-controlled strings containing the CDATA terminator ]]> could be inserted into a CDATASection and, during XMLSerializer output, emitted verbatim, turning text into active XML markup and...

CVE-2026-0969

The CVE-2026-0969 issue stems from the serialize function used to compile MDX in next-mdx-remote, with insufficient sanitization enabling arbitrary code execution in React server-side rendering of untrusted MDX content. The description provides a CVSSv3.1 base score of 8.8 (HIGH) and a network at...

Remote Code Execution (RCE)

Overview Affected versions of this package are vulnerable to Remote Code Execution RCE over the /expr endpoint. An authenticated user can execute code or disrupt service by sending malicious serialized data as the code parameter, which is passed to expr.Exec and executed as an expression without...

pgCodeKeeper 安全漏洞

pgCodeKeeper is an open source Eclipse plug-in for database schema management from pgCodeKeeper. A security vulnerability exists in pgCodeKeeper version 10.12.0, which stems from the Utils.serialize function's handling of serialized data from an untrustworthy source, and could lead to the executi...

EUVD-2025-3093

Malicious code in bioql PyPI...

CVE-2025-23045

Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run...

CVE-2025-23045

Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run...

CVE-2025-23045

CVE-2025-23045 affects Computer Vision Annotation Tool (CVAT). An attacker with an account on an affected CVAT instance can execute arbitrary code in the Nuclio function container via serverless tracker functions (TransT and SiamMask); deployments with custom tracker functions may also be affecte...

CVE-2025-23045 CVAT allows remote code execution via tracker Nuclio functions

Computer Vision Annotation Tool CVAT is an interactive video and image annotation tool for computer vision. An attacker with an account on an affected CVAT instance is able to run arbitrary code in the context of the Nuclio function container. This vulnerability affects CVAT deployments that run...

PT-2025-4790 · Nuclio +1 · Nuclio +1

Name of the Vulnerable Software and Affected Versions: Computer Vision Annotation Tool CVAT versions prior to 2.26.0 Description: The issue allows an attacker with an account on an affected CVAT instance to run arbitrary code in the context of the Nuclio function container. This affects CVAT...

Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

The Apache Software Foundation ASF has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046 , the vulnerability carries a CVSS score of 10.0. It...

jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool

A flaw was found in jackson-databind 2.x in versions prior to 2.9.10.5. FasterXML jackson-databind 2.x mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Apache Ignite Arbitrary Code Execution Vulnerability (CNVD-2018-15540)

Apache Ignite is the United States Apache Apache Software Foundation's set of high-performance, integrated and distributed for large-scale data set processing in-memory computing and transaction management platform. An arbitrary code execution vulnerability exists in Apache Ignite 2.5 and earlier...

RHEL 7 : Red Hat JBoss Enterprise Application Platform (RHSA-2018:2089)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2089 advisory. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red...

RHEL 6 : Red Hat JBoss Enterprise Application Platform (RHSA-2018:2090)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2090 advisory. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red...