EUVD-2026-25359

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

CVE-2026-35503

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

CVE-2026-29051

This CVE affects melange, where the lint/build workflow (enabled by --persist-lint-results) constructs output paths by joining --out-dir with arch and pkgname read from the APK’s .PKGINFO. Versions 0.32.0 through 0.43.3 are vulnerable; 0.43.4 fixes the issue by validating arch/pkgname against ..,...

SenseLive X3050 信任管理问题漏洞

The SenseLive X3050 is a data collection and environmental monitoring device designed for IoT scenarios by SenseLive Corporation. The SenseLive X3050 has a trust management vulnerability. This vulnerability stems from the fact that the authentication logic in the web management interface is...

CVE-2026-40623 SenseLive X3050 Missing Authorization

A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints on sensitive functions, parameters such as IP addressing, watchd...

CVE-2026-35503

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

CVE-2026-41137

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

EUVD-2026-25277

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

CVE-2026-41137

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the...

CVE-2026-41246

Contour is a Kubernetes ingress controller using Envoy proxy. From v1.19.0 to before v1.33.4, v1.32.5, and v1.31.6, Contour's Cookie Rewriting feature is vulnerable to Lua code injection. An attacker with RBAC permissions to create or modify HTTPProxy resources can craft a malicious value in...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the query construction in the TSDB access code. An attacker can execute arbitrary TSDB queries by supplying crafted starttime, endtime, or column/table-related values that are interpolated directly into SQL strings. Th...

PT-2026-34807

A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side verification. An attacker with access to the login page could retrieve these...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : strongSwan vulnerabilities (USN-8196-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8196-1 advisory. Haruto Kimura discovered that strongSwan incorrectly handled the supportedversions extension in TLS. A remote attacker could possibly...

EUVD-2026-25088

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without...

DEBIAN-CVE-2026-41168

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. This ha...

CVE-2026-3837

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without...

CVE-2026-41168 pypdf has possible long runtimes for wrong size values in cross-reference and object streams

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. This ha...

CVE-2026-41168

pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.1 can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large /Size values or object streams with wrong large /N values. This ha...

CVE-2026-3837

An authenticated attacker can persist crafted values in multiple field types and trigger client-side script execution when another user opens the affected document in Desk. The vulnerable formatter implementations interpolate stored values into raw HTML attributes and element content without...