BIT-PROMETHEUS-2026-40179 Prometheus: Stored XSS via metric names and label values in web UI tooltips and metrics explorer

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

mt6893-security-research

MT6893 Security Research Five security research findings from...

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the XWD decoder when there is a type confusion between bitsperpixel and pixmapdepth during the byte-swap process. An attacker can achieve arbitrary code execution or cause a denial of service by providing a crafte...

Out-of-bounds Write

Overview Affected versions of this package are vulnerable to Out-of-bounds Write in the PSD decoding process due to a mismatch between the computed bytes-per-pixel from the image header and the allocated pixel buffer size in LAB 16-bit mode. An attacker can achieve arbitrary code execution or cau...

CVE-2026-40491

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...

CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...

CVE-2026-40491

CVE-2026-40491 affects the gdown library (Python) prior to 5.2.2. A path traversal flaw in the extractall function fails to sanitize archive member filenames, allowing files to be written outside the destination directory and potentially enabling arbitrary file overwrite and Remote Code Execution...

CVE-2026-40491 gdown Affected by Arbitrary File Write via Path Traversal in gdown.extractall

gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members...

GHSA-XJVP-7243-RG9H Wish has SCP Path Traversal that allows arbitrary file read/write

Summary The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal through improper validation of user-supplied paths in the prefixed function. An attacker can read or write arbitrary files, create directories, and enumerate files outside the intended root directory by sending...

Wish has SCP Path Traversal that allows arbitrary file read/write

Summary The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the SubFileSystem method. An attacker can access directories outside the intended confinement by supplying specially crafted paths containing unresolved .. segments. This is only exploitable if the input path is...

PT-2026-33605

CVE-2026-40530, CVE-2026-4036, and others: Vulnerabilities in Synology DSM, up to 8.0 rating 🔥 Several vulnerabilities in Synology DiskStation Manager DSM allow remote authenticated attacker to read or write files, conduct denial-of-service attacks, and obtain information, including arbitrary...

PT-2026-33604

CVE-2026-40530, CVE-2026-4036, and others: Vulnerabilities in Synology DSM, up to 8.0 rating 🔥 Several vulnerabilities in Synology DiskStation Manager DSM allow remote authenticated attacker to read or write files, conduct denial-of-service attacks, and obtain information, including arbitrary...

Wish has SCP Path Traversal that allows arbitrary file read/write

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequence...

Wish has SCP Path Traversal that allows arbitrary file read/write

The SCP middleware in charm.land/wish/v2 is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing ../ sequence...

CVE-2026-40484 ChurchCRM: Authenticated Remote Code Execution via Unrestricted PHP File Write in Database Restore Function

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the database backup restore functionality extracts uploaded archive contents and copies files from the Images/ directory into the web-accessible document root using recursiveCopyDirectory, which performs no file...

CVE-2026-40484

ChurchCRM prior to version 7.2.0 is affected by an authenticated remote code execution in the database backup restore feature. The restore operation extracts uploaded archives and copies files from Images/ into the web root using recursiveCopyDirectory(), without file extension filtering, allowin...

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the operator.write message-tool. An attacker can modify persistent Matrix profile configuration without proper authorization by sending crafted requests...

GHSA-7JP6-R74R-995Q OpenClaw: Matrix profile config persistence was reachable from operator.write message tools

Summary Matrix profile config persistence was reachable from operator.write message tools. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Gateway operator.write message-tool paths could reach Matrix profile persistence that should have...