RUSTSEC-2026-0140 DNS rebinding and cross-origin CSRF in dynoxide's MCP HTTP transport

dynoxide's MCP HTTP transport was vulnerable to DNS rebinding via its transitive rmcp dependency, plus a related cross-origin CSRF gap. A malicious web page could make the user's browser send requests to a local dynoxide mcp --http or dynoxide serve --mcp server with a non-loopback Host header,...

USN-8268-1: Dnsmasq vulnerabilities

Andrew S. Fasano, Royce M, and Hugo Martinez Ray discovered that Dnsmasq did not allocate the necessary space to store domain names in some contexts. An attacker could possibly use this issue to write out-of-bounds, and could cause a denial of service or execute arbitrary code. CVE-2026-2291 Royc...

Pulpy 路径遍历漏洞

Pulpy is a lightweight tool developed by Enes Gökkaya that converts web applications into desktop applications. Versions of Pulpy prior to 0.1.1 contained a path traversal vulnerability. This vulnerability stemmed from an incomplete blacklist for the validateFsPath function, which could lead to...

PT-2026-40040

Name of the Vulnerable Software and Affected Versions Ivanti Xtraction versions prior to 2026.2 Description External control of a file name allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory. This can lead to information disclosure and...

PT-2026-40422

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full...

PT-2026-40384

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability CVE-2026-6959 is fixed in Nomad 2.0.1, 1.11.5 and 1.10.11...

PT-2026-40416

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'. Verify CVSS vector before publishing. are affected by an Improper Input...

PT-2026-40551

Name of the Vulnerable Software and Affected Versions Dalfox versions prior to 2.13.0 Description When running in REST API server mode, the software fails to sanitize certain fields in the request body, allowing an unauthenticated network caller to create or append to any file writable by the...

PT-2026-40344

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

PT-2026-40323

Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

PT-2026-40169

Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

PT-2026-40174

After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

AMD Graphics Vulnerabilities – May 2026

CVE Details Refer to Glossary for explanation of terms CVE ID| CVE Description| CVSS Vector ---|---|--- CVE-2024-36323| Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine VM or a process to perform unauthorized access to the register space of the JPEG...

PT-2026-40132

Name of the Vulnerable Software and Affected Versions Microsoft Visual Studio/.NET versions prior to 10.0.8 Description A tampering issue occurs when .NET Core improperly handles specially crafted files. An attacker can exploit this by sending a specially crafted file to a vulnerable system,...

PT-2026-40390

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain...

PT-2026-40446

Name of the Vulnerable Software and Affected Versions efw4.X versions prior to 4.08.010 Description The readonly flag in the '' JSP tag is intended to prevent file modifications. When protected=true, the elfinder checkRisk function ensures the client sends readonly=true to match the session value...

PT-2026-40346

Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file...

Fuji Electric Fuji Tellus 安全漏洞

Fuji Electric Fuji Tellus is an interface and control platform for industrial automation and equipment monitoring developed by Fuji Electric in Japan. There is a security vulnerability in Fuji Electric Fuji Tellus, which stems from adding drivers to the kernel during the installation process,...

Adobe Commerce 安全漏洞

Adobe Commerce is a leading global digital business solution for businesses and brands offered by Adobe in the United States. There is a security vulnerability in Adobe Commerce, which stems from improper authorization. This vulnerability may allow security features to be bypassed, enabling...

Adobe Premiere Pro < 25.6.5 / 26.0.0 < 26.2.0 Multiple Arbitrary code execution (APSB26-46) (macOS)

The version of Adobe Premiere Pro installed on the remote macOS host is prior to 25.6.5, 26.2.0. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB26-46 advisory. - Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that...