CVE-2026-42266

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

CVE-2026-42266

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. From 4.0.0 to 4.5.6, the allow-list of extensions that can be installed from PyPI Extension Manager allowedextensionsuris is not correctly enforced by JupyterLab. The Py...

resolver use-after-free in OCSP

resolver use-after-free in OCSP Severity: medium CVE-2026-40701 Not vulnerable: 1.31.0+, 1.30.1+ Vulnerable: 1.19.0-1.30.0...

Bandit 安全漏洞

Bandit is a high-performance HTTP and WebSocket server developed by Mat Trudel. Versions of Bandit from 1.6.1 to 1.11.1 contained security vulnerabilities. These vulnerabilities were caused by infinite loops, which could allow unauthenticated remote attackers to exploit the system through...

Next.js 代码问题漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.13 to 15.5.16, as well as versions before 16.2.5, have code vulnerabilities. These vulnerabilities stem from the use of the built-in Node.js server for hosting. When a custom WebSocket upgrade request is made, it ma...

OpenTelemetry Collector Contrib 安全漏洞

OpenTelemetry Collector Contrib is an extensible telemetry data collection component library developed under OpenTelemetry - CNCF. There are security vulnerabilities in versions 0.124.0 to 0.150.0 of OpenTelemetry Collector Contrib. These vulnerabilities stem from the Authenticate method not...

urllib3 安全漏洞

urllib3 is an open-source Python HTTP library developed by urllib3. This product features a thread-safe connection pool and support for file publishing. There were security vulnerabilities in the versions of urllib3 from 2.6.0 to 2.7.0. These vulnerabilities stemmed from the possibility of...

CVE-2026-44218 ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER directive. This vulnerability is fixed in 0.8.2...

actbench (=0.0.1a5), agenticos (>=0.0.1 <=0.0.3.155020) +46 more potentially affected by CVE-2026-31245 via mem0ai (>=0.0.20 <=0.1.93)

mem0ai PYPI version =0.0.20, =0.0.1, =1.1.0, =1.1.0, =0.1.41, =1.0.4, =0.61.0, =0.13.0, =0.1.108, =0.1.117, =0.1.120a1, =0.1.120, =0.1.3, =0.1.0, =0.2.1 and more Source cves: CVE-2026-31245 Source advisory: OSV:GHSA-CGX8-QGVR-F7VF...

CVE-2026-30805

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800...

azure-ai-generative (>=1.0.0b1 <=1.0.0b3), azure-ai-resources (>=1.0.0b1 <=1.0.0b9) +15 more potentially affected by CVE-2026-2614 via mlflow-skinny (>=3.0.0 <=3.0.1)

mlflow-skinny PYPI version =3.0.0, =1.0.0b1, =1.0.0b1, =0.1.0, =0.1.0, =2.5.0, =0.0.13, =3.0.0, =0.1.0, =0.1.4 and more Source cves: CVE-2026-2614 Source advisory: SNYK:PYTHON-MLFLOWSKINNY-16643511...

CVE-2026-34187 SQL Injection in Graph Container Parameter

Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter. This issue affects Pandora FMS: from 777 through 800...

CVE-2026-30808

CVE-2026-30808 concerns Pandora FMS versions 777–800, where a session fixation flaw allows session hijacking via crafted session IDs. The connected sources confirm the vulnerability title and affected range, indicating a problem in authentication/session handling. The impact details in the source...

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names

NPM: protobuf.js: Code injection in pbjs static output from crafted schema names vulnerability discovered by ? in WordPress Npm protobufjs-cli versions = 1.2.0...

node-ral (=0.17.0), protobufjs (=6.1.0) +1 more potentially affected by CVE-2026-44293 via @protobufjs/utf8 (>=1.0.1 <=1.1.0)

@protobufjs/utf8 NPM version =1.0.1, =1.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on @protobufjs/utf8 and may be impacted: - node-ral =0.17.0 - protobufjs =6.1.0 - protobufjs-mod =6.8.2 Source cves: CVE-2026-44293 Source advisory:...

CVE-2026-32687 SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in elixir-ecto postgrex 'Elixir.Postgrex.Notifications' module allows SQL Injection. The channel argument passed to 'Elixir.Postgrex.Notifications':listen/3 and...

ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +369 more potentially affected by CVE-2026-41712 via org.springframework.ai:spring-ai-model (>=2.0.0-M1 <=2.0.0-M5)

org.springframework.ai:spring-ai-model MAVEN version =2.0.0-M1, =0.1.0, =0.1.0, =1.21.9, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2 and more Source cves: CVE-2026-41712 Source advisory: OSV:GHSA-Q62F-H9X2-GCQC...

@aaa-backend-stack/graphql-rest-bindings (>=1.16.0 <=1.16.9), @aaa-backend-stack/image-service (>=1.16.0 <=1.16.9) +589 more potentially affected by CVE-2026-8162 via multiparty (>=4.0.0 <=4.2.3)

multiparty NPM version =4.0.0, =1.16.0, =1.16.0, =1.16.0, =0.1.155, =1.0.0, =1.1.0, =0.0.1, =0.0.1, =0.1.0, =0.58.14, =0.1.0, =1.0.0, =0.1.1, =0.1.3 and more Source cves: CVE-2026-8162 Source advisory: SNYK:JS-MULTIPARTY-16787378...

BIT-PHP-MIN-2026-7259 Null pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when...

NanaZip 安全漏洞

NanaZip is a compression software open source by the M2-Team. Versions of NanaZip from 5.0.1252.0 to 6.0.1698.0 contained security vulnerabilities. These vulnerabilities stemmed from the recursive, depth-unlimited behavior of the nlohmann::json::parse and GetAllPaths functions in the Electron...