CVE-2026-49241

The CVE concerns the Angular Language Service VS Code Extension (pre-21.2.4). It reads custom tsdk paths from workspace settings without Workspace Trust checks, then dynamically loads tsserverlibrary.js from a user-specified folder during server initialization. An attacker could commit a reposito...

CVE-2026-44691

In Eclipse Theia versions prior to 1.69.0, custom task definitions in workspace files e.g. .theia/tasks.json, .vscode/tasks.json could be executed without requiring workspace trust. An attacker could craft a malicious repository that, when cloned and opened in Theia, leads to execution of arbitra...

praisonai-platform: Any workspace member can rewrite workspace name, description, and settings via PATCH /workspaces/{id}

Summary Type: Authorization bypass enabling workspace metadata + settings tampering. The PATCH /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member can rewrite the workspace's name, description, and the settings JSON blob. The...

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS in the RatingButton component when unsanitized SVG or HTML is rendered via the innerHTML directive. An attacker can gain access to sessi...

EUVD-2026-30555

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-controlled values. The extension used string-based command execution for Turborepo daemon commands and...

Turborepo 命令注入漏洞

Turborepo is a high-performance JavaScript and TypeScript build system open source by Vercel. Versions of Turborepo 2.9.14000 and earlier contained a command injection vulnerability. This vulnerability stemmed from the LSP VS Code extension using string-based commands to execute Turborepo’s daemo...

Ruby LSP 代码注入漏洞

Ruby LSP is an open-source Ruby language server developed by Shopify. It provides code completion and debugging features. Versions of Ruby LSP prior to 0.10.2 and 0.26.9 contained a code injection vulnerability. This vulnerability stemmed from the fact that the Gemfile generated by rubyLsp.branch...

Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

GHSA-C4R5-FXQW-VH93 Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

PT-2026-28598

Name of the Vulnerable Software and Affected Versions ruby-lsp versions prior to 0.10.2 ruby-lsp gem versions prior to 0.26.9 Description The rubyLsp.branch VS Code workspace setting was used in generating a Gemfile without proper sanitization, potentially allowing arbitrary Ruby code execution...

Ruby LSP has arbitrary code execution through branch setting

Summary The rubyLsp.branch VS Code workspace setting was interpolated without sanitization into a generated Gemfile, allowing arbitrary Ruby code execution when a user opens a project containing a malicious .vscode/settings.json. Other editors that support workspace setting that get automatically...

CVE-2026-26964

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

CVE-2026-26964

Windmill CVE-2026-26964 affects Windmill versions 1.634.6 and earlier. The issue allows non-admin workspace members to access the Slack OAuth client secret via GET /api/w/{workspace}/workspaces/get_settings, revealing a secret that should be admin-only. Root cause: Slack configuration was stored ...

CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

PT-2026-3437

Name of the Vulnerable Software and Affected Versions Altium Forum affected versions not specified Description A stored cross-site scripting XSS issue exists in the Altium Forum because of insufficient server-side input sanitization of forum post content. An authenticated attacker can inject...

CVE-2026-1009 Stored Cross-Site Scripting in Altium Live Forum Leading to Cross-Customer Data Exposure

A stored cross-site scripting XSS vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post...

EUVD-2025-27052

Malicious code in bioql PyPI...

EUVD-2022-52556

Malicious code in bioql PyPI...

CVE-2025-61590

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution RCE attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings pretty similar to .vscode/settings.json for...

CVE-2025-61590 Cursor is vulnerable to RCE via .code-workspace files using Prompt Injection

Cursor is a code editor built for programming with AI. Versions 1.6 and below are vulnerable to Remote Code Execution RCE attacks through Visual Studio Code Workspaces. Workspaces allow users to open more than a single folder and save specific settings pretty similar to .vscode/settings.json for...