ROOT-OS-DEBIAN-12-CVE-2025-68371 CVE-2025-68371 in rootio-linux - Patched by Root

Root has patched CVE-2025-68371 in the rootio-linux package for Root:Debian:12. Multiple fixed versions available...

PT-2026-44980

Name of the Vulnerable Software and Affected Versions FastGPT versions prior to 4.15.0-beta1 Description The JavaScript sandbox worker fails to properly block dynamic import calls due to an insufficient regular expression. The regex /bimports/.testcode only accounts for ASCII whitespace and does...

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from a vulnerability that can be exploited by cross-site request forgery attacks. This could allow victims with...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the StandardEvaluationContext method. An attacker can execute arbitrary code and exfiltrate credentials by supplying crafted Spring Expression Language SpEL expressions as an authenticated user with...

CVE-2026-43992 JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter

JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool sendtokens, executecontract, instantiatecontract, uploadwasm, ibctransfer, etc. accepted 'mnemonic: string' as an explicit tool-call parameter. The BIP-39 seed was consequently embedded in th...

PT-2026-38558

manage.get.gov is the .gov TLD registrar maintained by CISA. manage.get.gov allows an organization administrator to assign domain manager privileges for domains not already in another organization. Fixed in 1.176.0 on or around 2026-04-30...

MAL-2026-2559 Malicious code in databasesupalake (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 78dbe2b5e300604ea36dc85a6b0e9eae4e92b7b3729de10b3951f5e3bfc7729b During installation package downloads and runs a malicious executable. Likely continuation of 2026-03-rowrap. The campaign is built over a malicious Roblox API...

CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

CVE-2026-24901

Summary: CVE-2026-24901 affects Outline prior to 1.4.0, with an Insecure Direct Object Reference (IDOR) in the document restoration logic. This allows any team member to unauthorizedly restore, view, and seize ownership of deleted drafts belonging to other users (including administrators) by bypa...

EUVD-2026-8642

zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service...

CVE-2023-31250

The file download facility doesn't sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to. Some sites may require configuration changes following this security release. Review the release notes for your...

CVE-2022-0960

Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4...

Important: Red Hat Security Advisory: Red Hat Ceph Storage

A new version of Red Hat build of Ceph Storage has been released The Red Hat Storage Ceph container images are based on the latest ubi9 base image and Ceph 7.1. This release updates to the latest version...

EUVD-2025-114124

Malicious code in element-ui-version-release-it-deneb npm...

EUVD-2021-21265

Malware in sbrugna...

EUVD-2021-21262

Malware in sbrugna...

EUVD-2024-2675

Malicious code in bioql PyPI...

EUVD-2023-3224

Malicious code in bioql PyPI...

CVE-2025-58357

5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 contains a vulnerability in the chat page's script gadgets that enables content injection attacks through multiple vectors: malicious prompt injection pages, compromised MCP server...

CVE-2025-4988 Stored Cross-site Scripting (XSS) vulnerability affecting Results Analytics in Multidisciplinary Optimization Engineer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x

A stored Cross-site Scripting XSS vulnerability affecting Results Analytics in Multidisciplinary Optimization Engineer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session...