ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0), ai.ancf.lmos:lmos-router-llm-in-spring-cloud-gateway-demo (=0.1.0) +16307 more potentially affected by CVE-2026-0636 via org.bouncycastle:bcprov-jdk18on (>=1.74 <=1.83)

org.bouncycastle:bcprov-jdk18on MAVEN version =1.74, =0.2.0, =0.31.0, =0.5.0, =0.6.0, =0.5.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.5.0, =0.8.3, =0.8.3, =0.8.7 and more Source cves: CVE-2026-0636 Source advisory: OSV:GHSA-C3FC-8QFF-9HWX...

ai.tock:bot-test (=23.9.2), ai.tock:bot-test-base (=23.9.2) +498 more potentially affected by CVE-2026-40458 via org.pac4j:pac4j-core (>=6.0.0-RC1 <=6.4.0)

org.pac4j:pac4j-core MAVEN version =6.0.0-RC1, =6.4.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.pac4j:pac4j-core and may be impacted: - ai.tock:bot-test =23.9.2 - ai.tock:bot-test-base =23.9.2 - ai.tock:bot-toolkit =23.9.2 -...

JLSEC-2026-144

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undopxr24impl in src/lib/OpenEXRCore/internalpxr24.c at line 377. The...

JLSEC-2026-146

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via...

CVE-2026-35073

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command injection vulnerability. A high privileged attacker...

CVE-2026-35072

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper neutralization of special elements used in an OS command 'OS command injection' vulnerability. A high...

kimai 安全漏洞

Kimai is a web-based, multi-user time tracking application developed by Kimai’s individual developer. Versions of Kimai from 1.16.3 to 2.52.0 have security vulnerabilities. These vulnerabilities stem from incomplete escapeForHtml function escapes, which may lead to storage-side cross-site scripti...

nextjs-auth0 安全漏洞

nextjs-auth0 is an open-source Next.js SDK developed by Auth0, used for authentication with Auth0. Versions 4.12.0 to 4.17.1 of nextjs-auth0 contain security vulnerabilities. These vulnerabilities stem from requests that trigger random number retries, which may lead to improper handling of token...

PT-2026-33438

Name of the Vulnerable Software and Affected Versions Dell PowerProtect Data Domain versions 7.7.1.0 through 8.7.0.0 Dell PowerProtect Data Domain versions 8.3.1.0 through 8.3.1.20 Dell PowerProtect Data Domain versions 7.13.1.0 through 7.13.1.60 Description Improper neutralization of special...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.12) +5 more potentially affected by CVE-2026-41478 via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.4)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNDATA-16110991...

@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-beta.12) potentially affected by CVE-2026-41478 via @saltcorn/server (>=1.6.0-alpha.0 <=1.6.0-beta.4)

@saltcorn/server NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: CVE-2026-41478 Source advisory: SNYK:JS-SALTCORNSERVER-16110989...

3m (>=0.1.0 <=0.1.3), a2d-diary (>=0.1.0 <=0.1.5) +1779 more potentially affected by CVE-2026-41313 via pypdf2 (>=1.24.0 <=3.0.1)

pypdf2 PYPI version =1.24.0, =0.1.0, =0.1.0, =1.1.0, =0.0.0.1, =0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.2, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1, =0.0.0.1038 and more Source cves: CVE-2026-41313 Source advisory: SNYK:PYTHON-PYPDF2-16097904...

@bentwnghk/chat (>=1.45.5 <=1.45.6), @clerk/elements (=0.0.2-snapshot.vc65ad98) +3 more potentially affected by CVE-2026-41248 via @clerk/nextjs (>=5.0.1-snapshot.vc65ad98 <=5.7.5)

@clerk/nextjs NPM version =5.0.1-snapshot.vc65ad98, =1.45.5, =1.2.8, =1.2.9 - @spike-npm-land/code =0.9.55 - spark-strand-login =1.0.1 Source cves: CVE-2026-41248 Source advisory: OSV:GHSA-VQX2-FGX2-5WQ9...

AskAI (=0.1.0), BiliupApi (>=0.1.0 <=0.1.7) +4008 more potentially affected by unknown CVE via rustls-webpki (>=0.101.7 <=0.102.8)

rustls-webpki CARGO version =0.101.7, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.0.26, =0.4.0, =0.1.0, =0.21.0-alpha.1, =0.1.11, =0.12.1, =0.13.0 - acme =0.2.1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-XGP8-3HG3-C2MH...

be.ugent.idlab.knows:dataio (>=1.2.0 <=1.3.1), cn.org.expect:modest-build (=1.0.4) +221 more potentially affected by unknown CVE via com.github.junrar:junrar (>=7.4.0 <=7.5.1)

com.github.junrar:junrar MAVEN version =7.4.0, =1.2.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.1, =2.7.0, =2.7.2, =2.1, =3.5.3, =3.5.11 and more Source cves: unknown CVE Source advisory: SNYK:JAVA-COMGITHUBJUNRAR-16097905...

airflow-balancer (>=0.7.0 <=0.7.6), airflow-clickhouse-plug (=1.6.2) +37 more potentially affected by CVE-2026-31987 via apache-airflow (>=3.0.0 <=3.1.8)

apache-airflow PYPI version =3.0.0, =0.7.0, =1.5.0, =0.6.1, =1.10.7, =0.6.0, =0.1.0, =1.4.3, =1.2.10, =0.1.1, =3.0.0, =1.6.0, =1.5.3, =1.25.0, =3.12.0, =3.12.0rc1 and more Source cves: CVE-2026-31987 Source advisory: OSV:GHSA-PHV5-VQ5P-QHP7...

CVE-2026-3324

The CVE-2026-3324 issue affects Zohocorp ManageEngine Log360 versions 13000–13013, where authentication bypass can occur on certain actions due to improper filter configuration. The root cause is misconfigured access filters, enabling unauthorized access without credentials. The CVSSv3.1 base met...

EUVD-2026-23215

In rsync 3.0.1 through 3.4.1, receivexattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X aka --xattrs. On Linux, many but not all common configurations are vulnerable. Non-Linux platforms are more widely vulnerable...

EUVD-2026-23114

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role...

PT-2026-33247

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git not a release, the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1...