PT-2026-35740

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

EUVD-2026-25943

OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during uploadimage operations to read arbitrary files outside...

CVE-2026-7040

Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minifyutf8 function is an alias for minify...

org.springframework.ai:spring-ai-starter-vector-store-weaviate (>=1.1.0 <=1.1.4) potentially affected by CVE-2026-40967 via org.springframework.ai:spring-ai-weaviate-store (>=1.1.0-M1 <=1.1.4)

org.springframework.ai:spring-ai-weaviate-store MAVEN version =1.1.0-M1, =1.1.0, =1.1.4 Source cves: CVE-2026-40967 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16321397...

io.github.vishalmysore:easyQServer (>=0.2.8.11.1 <=0.2.8.12.3), org.springframework.ai:spring-ai-mongodb-atlas-store-spring-boot-starter (>=1.0.0-M5 <=1.0.0-M6) +1 more potentially affected by CVE-2026-40967 via org.springframework.ai:spring-ai-mongodb-atlas-store (>=1.0.0-M5 <=1.0.5)

org.springframework.ai:spring-ai-mongodb-atlas-store MAVEN version =1.0.0-M5, =0.2.8.11.1, =1.0.0-M5, =1.0.0, =1.0.5 Source cves: CVE-2026-40967 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16321392...

Apache Camel 安全漏洞

Apache Camel is an open-source integration framework based on the Enterprise Integration Pattern EIP, developed by the Apache Foundation in the United States. This framework provides implementations of Java objects following the EIP pattern and allows routing and mediation rules to be configured...

Apache Storm Prometheus Reporter 信任管理问题漏洞

Apache Storm Prometheus Reporter is a monitoring component developed by the Apache Foundation that converts metrics from distributed stream processing systems into Prometheus format. Versions 2.6.3 to 2.8.6 of Apache Storm Prometheus Reporter contain vulnerabilities related to trust management...

ProjeQtOr 安全漏洞

ProjeQtOr is a project management software developed by the French company ProjeQtOr. Versions 7.0 to 12.4.3 of ProjeQtOr contain security vulnerabilities. These vulnerabilities stem from a lack of authorization verification at the objectDetail.php endpoint, which may lead to the retrieval of...

Linux Distros Unpatched Vulnerability : CVE-2026-41681

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.10.39 to before 0.10.78, EVPDigestFinal always writes EVPMDCTXsizectx to the ou...

DEBIAN-CVE-2026-42254

Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response...

CVE-2026-42254

Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response...

CVE-2026-42254

Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response...

0xble (>=14.0.0 <=21.9.1), 100xchat (>=1.1.5 <=1.3.5) +4340 more potentially affected by CVE-2026-8657 via jsondiffpatch (>=0.0.11 <=0.7.3)

jsondiffpatch NPM version =0.0.11, =14.0.0, =1.1.5, =1.0.0, =1.0.0, =1.0.4, =0.10.6, =0.1.6, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =1.0.1, =0.1.0-alpha.1, =0.1.0, =0.3.1, =0.5.10, =1.2.4 and more Source cves: CVE-2026-8657 Source advisory: SNYK:JS-JSONDIFFPATCH-1632299...

PT-2026-37185

Name of the Vulnerable Software and Affected Versions LiteLLM versions 1.74.2 through 1.83.6 Description LiteLLM is a proxy server AI Gateway used to call LLM APIs in OpenAI or native format. The endpoints 'POST /mcp-rest/test/connection' and 'POST /mcp-rest/test/tools/list', used to preview an M...

@13w/local-rag (=2.0.0), @amodalai/cli (>=0.1.0 <=0.1.1) +29 more potentially affected by unknown CVE via @google/gemini-cli (>=0.11.3 <=0.39.0-nightly.20260411.0957f7d3e)

@google/gemini-cli NPM version =0.11.3, =0.1.0, =0.1.5, =0.1.0, =1.0.0, =0.0.17, =0.6.4, =0.0.1, =1.3.0, =1.0.0, =2.0.0 - @vibe-forge/client =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WPQR-6V78-JR5G...

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (>=0.0.0-20251106131028 <=0.16.0) +7151 more potentially affected by CVE-2026-42038 via axios (>=1.0.0 <=1.15.0)

axios NPM version =1.0.0, =0.0.8, =0.0.0-20251106131028, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.0.0, =0.0.2-beta.0, =8.0.5, =6.1.0, =0.0.0-canary-847463221a9a1bee28641d8c0ecfaca98ee142f6, =0.0.1-alpha.3, =0.1.6-alpha.11, =0.1.6-alpha.12 and more Source cves: CVE-2026-42038 Source advisory:...

CVE-2026-42037 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...

0xpwn (=0.1.1), a2a-acl (>=0.0.14 <=0.0.15) +300 more potentially affected by CVE-2026-42203 via litellm (>=1.80.5 <=1.83.4)

litellm PYPI version =1.80.5, =0.0.14, =0.0.14, =0.0.1a0, =0.6.0, =0.7.3, =0.1.46, =0.25.4a2, =0.5.2, =0.1.0, =0.1.0, =0.1.0, =0.2.4, =0.2.15 and more Source cves: CVE-2026-42203 Source advisory: SNYK:PYTHON-LITELLM-16300055...

com.espertech:esperio-springjms (=9.0.0), org.apache.activemq.tooling:activemq-maven-plugin (>=6.0.0 <=6.2.3) +5 more potentially affected by CVE-2026-41044 via org.apache.activemq:activemq-all (>=6.0.0 <=6.2.3)

org.apache.activemq:activemq-all MAVEN version =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.3 Source cves: CVE-2026-41044 Source advisory: OSV:GHSA-MR6M-XJ7V-3CV3...

at.chrl:chrl-jms (=1.1.0), at.researchstudio.sat:won-core (>=0.2 <=0.9) +1035 more potentially affected by CVE-2026-40466 via org.apache.activemq:activemq-broker (>=5.10.0 <=5.19.4)

org.apache.activemq:activemq-broker MAVEN version =5.10.0, =0.2, =0.3, =0.2, =0.2, =0.3, =0.3, =0.3, =0.3, =0.3, =0.2, =0.3, =0.3, =0.6 - at.researchstudio.sat:won-owner =0.3 - at.researchstudio.sat:won-owner-webapp =0.3 and more Source cves: CVE-2026-40466 Source advisory:...