CVE-2026-35608

CVE-2026-35608 concerns QuickDrop, a file sharing app. A vulnerability exists in the file preview endpoint prior to 1.5.3 where SVGs uploaded via /api/file/upload-chunk can contain JavaScript payloads that execute when users view the file preview. This is a stored XSS in the preview UI context, p...

EUVD-2026-19784

QuickDrop is an easy-to-use file sharing application. Prior to 1.5.3, a stored XSS vulnerability exists in the file preview endpoint. The application allows SVG files to be uploaded via the /api/file/upload-chunk endpoint. An attacker can upload a specially crafted SVG file containing a JavaScrip...

CVE-2026-4931

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost...

CVE-2026-22679

Weaver Fanwei E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft PO...

PT-2026-31035

Name of the Vulnerable Software and Affected Versions OpenSSL FIPS Module version 3.6 Description Applications utilizing AES-CFB128 encryption or decryption on systems equipped with AVX-512 and VAES support may experience an out-of-bounds read of up to 15 bytes when handling partial cipher blocks...

ImageMagick security update

6.9.10.68-7.0.7 - Fixes Local File Disclosure via Path Traversal CVE-2026-25965 Orabug: 39118995 - Fixes Memory allocation with excessive without limits in the internal SVG decoder CVE-2026-25985 6.9.10.68-7.0.5 - Fix CVE-2025-62171 and CVE-2026-23876 Orabug: 38997140 6.9.10.68-7.0.3 - Security...

PT-2026-30909

Name of the Vulnerable Software and Affected Versions QuickDrop versions prior to 1.5.3 Description QuickDrop, a file sharing application, contains a stored cross-site scripting XSS issue in the file preview functionality. The application allows the upload of SVG files via the...

MA-IDS: Multi-Agent RAG Framework for IoT Network Intrusion Detection with an Experience Library

Network Intrusion Detection Systems NIDS face important limitations. Signature-based methods are effective for known attack patterns, but they struggle to detect zero-day attacks and often miss modified variants of previously known attacks, while many machine learning approaches offer limited...

PT-2026-30731

Name of the Vulnerable Software and Affected Versions Tenda CX12L version 16.03.53.12 Description A stack-based buffer overflow exists in the fromP2pListFilter function of the /goform/P2pListFilter file. Manipulation of the page argument triggers the overflow. The attack requires local network...

PT-2026-31625

Name of the Vulnerable Software and Affected Versions libcap affected versions not specified Description A flaw exists in libcap where a local unprivileged user can exploit a Time-of-check-to-time-of-use TOCTOU race condition in the cap set file function. This allows an attacker with write access...

CVE-2026-34725

DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in t...

DEBIAN-CVE-2026-33709

JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to version 5.4.4, an open redirect vulnerability in JupyterHub allows attackers to construct links which, when clicked, take users to the JupyterHub login page, after which they are sent to an...

Security Bulletin: IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file

Summary IBM Langflow Desktop supports retrieval-augmented generation RAG workflows through its FAISS Vector Store component, which loads persisted vector indexes and associated metadata from disk. A vulnerability in the FAISS component arises from unsafe deserialization of Python Pickle files,...

CVE-2026-34974

phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the regex-based SVG sanitizer in phpMyFAQ SvgSanitizer.php can be bypassed using HTML entity encoding in javascript: URLs within SVG attributes. Any user with editfaq permission can upload a malicious SVG that executes...

CVE-2026-35545

A flaw was found in Roundcube Webmail. A remote attacker could bypass the remote image blocking feature by sending a specially crafted e-mail message containing SVG Scalable Vector Graphics content. This bypass may lead to information disclosure or an access-control bypass, allowing the attacker ...

JLSEC-2026-46

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The...

JLSEC-2026-49

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses...

AnythingLLM - Information Disclosure

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...

EUVD-2026-18593

An issue was discovered in Roundcube Webmail before 1.5.15 and 1.6.15. The remote image blocking feature can be bypassed via SVG content in an e-mail message. This may lead to information disclosure or access-control bypass. This involves the animate element with attributeName=fill/filter/stroke...

GHSA-J2G6-8RVG-7MF6 Roundcube Webmail: Bypass of remote image blocking via SVG content (with animate attributes) in an e-mail message

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. The remote image blocking feature can be bypassed via SVG content with animate attributes in an e-mail message. This may lead to information disclosure or access-control bypass...