MAL-2026-6233 Malicious code in fluent-dashboard-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153 fluentpanelmetrics/init.py defines an undocumented function bootstrapruntimeprofile and invokes it unconditionally at module top level. The function...

CGA-6J77-9G4P-7R55

Bulletin has no description...

MAL-2026-6231 Malicious code in improvado-layout-panel-metrics (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de During import, the package starts a reverse shell. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign:...

GHSA-869J-R97X-HX2G Anki's local HTTP server does not sufficiently validate requests

Summary Anki launches a local HTTP server to serve media files and web pages for parts of its interface. The server fails to validate requests in the following ways: 1. No sufficient validation of the Origin header. 2. Some endpoints are vulnerable to path traversal attacks. This allows malicious...

GHSA-JV2J-MQMW-XVV5 SurrealDB: Denial of Service via deep operator chains

An authenticated user could crash a SurrealDB server with a single query containing a long chain of operators. Such a query — for example RETURN 1 + 1 + 1 + ... with tens of thousands of terms — is parsed into an expression tree one level deep per operator. Because the chain is flat and the pratt...

GHSA-HV6H-HC26-Q48P SurrealDB: Field-level SELECT permissions bypassed via graph and reference traversals

A record user could read field values hidden from them by field-level SELECT permissions by reaching the records through a graph-edge - or back-reference SELECT FROM knows, person:bobknows-SELECT FROM person — returned it intact. The root cause: the shared resolverecordbatch helper used by...

GHSA-H4H3-3RFJ-X6FQ SurrealDB: Indexed ORDER BY leaks the value ordering of a SELECT-restricted field

A field can be hidden from a user with a field-level SELECT permission DEFINE FIELD code ON secret PERMISSIONS FOR select WHERE owner = $auth.id. When that field is indexed, a record user who cannot read it could still recover the relative ordering of its values across every record by issuing ORD...

GHSA-CC8F-FCX3-GPJR SurrealDB: Arbitrary file read via DEFINE ANALYZER mapper() filter

SurrealDB's full-text search lets you define a text analyzer whose mapper filter loads a term-mapping file from disk DEFINE ANALYZER ... FILTERS mapper''. A database user with the EDITOR or OWNER role could point that filter at any file the SurrealDB process can read and have its content returned...

GHSA-H5RG-8P7F-47G2 SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch

SurrealDB fetches the JWKS document for a JWT or record access method using a bare reqwest client that follows HTTP redirects by default. The network capability check in core/src/iam/jwks.rs checkcapabilitiesurl is applied only to the originally configured URL; redirect targets are not...

GHSA-4XGF-CPJX-PC3J pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size

Summary NestedSecretsSettingsSource reads secret values from files in a configured secretsdir. When secretsnestedsubdir=True, a directory entry inside secretsdir that is a symbolic link pointing outside secretsdir is followed, so files outside the configured directory are read into settings value...

GHSA-G2GW-Q38M-VJFC Lokka: Azure Resource Manager URL path validation issue

Lokka versions prior to 2.1.2 constructed Azure Resource Manager request URLs using direct string concatenation with user-controlled path input. Specially crafted path values could alter URL authority parsing and cause Azure Resource Manager bearer tokens to be sent to an unintended host. Version...

GHSA-H5X8-XP6M-X6Q4 @jhb.software/payload-cloudinary-plugin: Arbitrary Cloudinary API Parameter Signing

Arbitrary Cloudinary API Parameter Signing in @jhb.software/payload-cloudinary-plugin Summary @jhb.software/payload-cloudinary-plugin v0.3.4 exposes a server-side signing endpoint POST /api/cloudinary-generate-signature that passes attacker-supplied paramsToSign directly to...

GHSA-F4XH-W4CJ-QXQ8 LangSmith SDK TracingMiddleware: Arbitrary server-side file read

Summary An attacker who can send an HTTP request to a server running the LangSmith SDK's TracingMiddleware can cause that server to read an arbitrary file from its local filesystem and upload the contents to LangSmith as a trace attachment. Depending on how the distributed trace system is deploye...

GHSA-C3XH-98XP-6QHF githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow

Summary A GitHub Actions workflow is vulnerable to command injection through the issue title. The workflow is triggered when an issue is opened or closed, and it directly inserts github.event.issue.title into a Bash variable assignment. If an issue title contains command substitution syntax, Bash...

GHSA-MH64-PH39-MRC9 Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions

Impact Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The quicheconnectioniditernext and quicheconnretiredscidnext functions would return a pointer to a ConnectionId to the applications via function arguments, but the the owned...

GHSA-4CC2-G9W2-FHF6 Zeep: Server-Side Request Forgery (SSRF)

Summary When parsing a WSDL or XSD document, python-zeep follows transitive references — xsd:import, xsd:include, wsdl:import, and lxml entity/DTD resolution — and will fetch http/https URLs found in those references. The Settings.forbidexternal option, intended to disable this transitive remote...

GHSA-CW6H-FFMH-X6VH Anki: User scripts in iframes have access to the internal Anki API

Summary Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Anki implements measures to prevent user scripts run in the reviewer/editor from accessing this API https://github.com/ankitects/anki/pull/3925 but it inadvertently allows access to scripts...

GHSA-WVRH-2F4M-924V ChatterBot: Symlink-Following Arbitrary Write via UbuntuCorpusTrainer

Summary ChatterBot's UbuntuCorpusTrainer.extract uses a predictable, home-rooted output directory /ubuntudata/ubuntudialogs with a check-then-create pattern if not os.path.exists: os.makedirs followed by tar.extractallpath=self.datapath. A local attacker who pre-plants a symlink at the predictabl...

DEBIAN-CVE-2026-12706

Bulletin has no description...

GHSA-H3M5-97JQ-QJRF OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)

Summary OpenRemote Manager is vulnerable to a cross-tenant Insecure Direct Object Reference IDOR in the bulk alarm deletion endpoint. An authenticated user in any realm can delete alarms belonging to other realms tenants by supplying arbitrary alarm IDs. The vulnerability exists because the bulk...

GHSA-X975-RGX4-5FH4 appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)

Unescaped Locator Data XSS in MCP-UI Resource createLocatorGeneratorUI Summary appium-mcp's createLocatorGeneratorUI function interpolates attacker-controlled element attributes — text, content-desc, resource-id, and locator selector values — directly into an HTML template literal without any HTM...

GHSA-C795-2G9C-J48M EverOS: Path traversal in EverOS /api/v1/memory/add via unvalidated sender_id

EverOS versions 1.0.0 and earlier are vulnerable to path traversal in the POST /api/v1/memory/add ingestion endpoint. The per-message senderid field was not validated as a path-safe identifier unlike appid / projectid, which already enforced this. During user-memory extraction, senderid is used a...

GHSA-V3F4-W7R7-V3HM Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests

Impact Uni-CLI versions before 0.225.2 exposed the legacy JSON-RPC-over-HTTP MCP transport on loopback without validating browser Origin headers before routing requests. A malicious web page could send a CORS simple POST request, such as text/plain, to the local /mcp endpoint and deliver a JSON-R...

GHSA-6GQW-JQV7-V88M stigmem-node: decay sweep expires and counts facts across all tenants (cross-tenant BOLA)

Summary On a multi-tenant stigmem node, a caller holding a write credential for one tenant can run a decay sweep that acts on every tenant's facts. The candidate-selection queries in lifecycle/decay.py selectttlcandidates, selectconfidencecandidates carried no tenantid predicate, and the caller's...

GHSA-XHV3-Q4XX-349R stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)

Summary On a multi-tenant stigmem node, a tenant administrator could list, read, and admit or reject quarantined facts belonging to other tenants. The list/count queries and getquarantinedfact in routes/quarantine.py lacked an f.tenantid = identity.tenantid predicate, and the garden lookup was no...

GHSA-X26H-XMV8-GXF7 stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)

Summary On a multi-tenant stigmem node, RTBF right-to-be-forgotten tombstones were mis-scoped two ways. 1 issuetombstone defaulted the tenant to "default" instead of the caller's tenant, so tombstones could be written to the wrong tenant. 2 The read-suppression path — gettombstonefilter...

GHSA-6V7P-G79W-8964 MessagePack for Python: Out-of-bounds read / crash on Unpacker reuse after a caught error

Impact If the Unpacker is used repeatedly after an error occurs, the process may crash with a SEGV. If the Unpacker is used repeatedly to unpack untrusted input from external sources, it may be vulnerable to a DoS attack. Patches v1.2.1 Workarounds Users should create a new Unpacker instead of...

GHSA-6VXV-WG6J-5QWP Gogs: XSS in .ipynb files renderer due to outdated notebookjs

Summary Gogs renders Jupyter notebook files .ipynb using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities. Details Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:...

GHSA-97PR-9HGG-3P8R parse-server: LiveQuery discloses object data to a subscriber across an ACL read-access change

Impact A Parse Server LiveQuery subscriber can receive object field values they are not authorized to read when a single save changes both an object field and the subscriber's ACL read access to that object. When such a save removes the subscriber's read access, the resulting leave event still...

GHSA-MRVX-JMJW-VGGC SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`

DNS-resolved Private Hostname SSRF in weburlread Summary The weburlread MCP tool in mcp-searxng is vulnerable to Server-Side Request Forgery SSRF via DNS rebinding bypass. The assertUrlAllowed function at src/url-reader.ts:85-93 validates only the syntactic hostname string against a private...

GHSA-XCQX-9JF5-W339 SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`

Unbounded Response Body Read Bypasses URL Size Limit in weburlread Summary The weburlread MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the Content-Length header of a preliminary HEAD request. When a server omits Content-Length — a standard HTTP practice...

GHSA-48X2-6PR9-2JJF Network-AI: EnvironmentManager.restore() backup ID path traversal copies arbitrary directories into environment data

Summary EnvironmentManager.restoreenv, backupId computes the backup path with joinenvDir, '.backups', backupId and only checks that this path exists. It does not resolve the result or verify that it remains under data//.backups. A caller can pass a traversal backup ID such as...

GHSA-6X2M-P4XP-WG22 Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups

Summary EnvironmentManager.backup recursively collects files using collectBackupFiles. collectBackupFiles uses statSyncfull, which follows symlinks. If data/ contains a symlink to a directory outside the environment root, backup recursion follows the symlink and copies external files into...

GHSA-MXJX-28VX-XJJJ Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions

Summary network-ai's ApprovalInbox lib/approval-inbox.ts is a shipped, exported, documented feature — "a web-accessible approval queue with REST API … and SSE streaming" SECURITY.md. It is the network surface of the human-in-the-loop Approval Gate, which ApprovalGate uses to require explicit huma...

GHSA-JVCM-F35G-W78P Network-AI: AgentRuntime sandbox path-prefix checks allow file access outside the configured base directory

Summary AgentRuntime promises scoped file access under a configured sandbox basePath, but its path containment checks use raw string prefix tests. A sandbox base such as /tmp/network-ai-sandbox also matches a sibling path such as /tmp/network-ai-sandboxevil/secret.txt. An agent/user that can call...

GHSA-2FMP-9RVW-HC96 Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning

Summary EnvironmentManager.listBackups reads each backup's manifest.json and trusts the manifest's path field. EnvironmentManager.pruneBackups later passes that trusted entry.path directly to rmSyncentry.path, recursive: true, force: true . An attacker who can place or modify a manifest inside...

GHSA-9C83-RR99-VFWJ MCPVault: PathFilter restricted directories (.git/.obsidian/node_modules) only denied at vault root, not nested

PathFilter's deny-list glob patterns are anchored, so .git, .obsidian, and nodemodules were only blocked at the vault root. Nested copies inside the vault e.g. tools/cli/nodemodules/..., tools/somerepo/.git/config, a nested .obsidian/ were fully traversable via isAllowed/isAllowedForListing...

GHSA-H5JC-78HR-3PC9 Sveltia CMS: Stored XSS in Markdown/RichText preview via unsandboxed same-origin iframe

Impact A stored cross-site scripting XSS vulnerability affected the Markdown/RichText field preview renderer in Sveltia CMS. The DOMPurify sanitization configuration used for Markdown previews explicitly permitted iframe elements without enforcing a sandbox attribute or restricting iframe sources...

GHSA-P9XJ-FPR2-JF2Q symfony/ux-toolkit: Path Traversal Allows Arbitrary File Write and Read via Crafted Recipe Manifest

Description The ux:install console command installs files from a recipe kit by copying paths listed in a copy-files map. The only guard against malicious paths was Path::isRelative, which returns true for paths like ../../../etc. Path::join then resolves the .. segments without complaint, so the...

GHSA-6V8J-33HC-MV84 symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

Description The uxicon Twig function is marked issafe='html', so Twig never escapes its output. Icon::toHtml inlines the SVG source verbatim into the page. Browsers execute elements and on event-handler attributes found inside inline SVG, making any unsanitized icon a vector for cross-site...

GHSA-4VRG-R928-H5VV SpiceDB: Checks involving relations with caveats can result in unconditional permission when conditional permission is expected

Impact Under concurrency, CheckPermission and CheckBulkPermissions can return PERMISSIONSHIPHASPERMISSION for a resource, permission, subject whose correct answer is PERMISSIONSHIPCONDITIONALPERMISSION. You are impacted if all of the following hold: 1. Your schema has a permission combining...

GHSA-8W8F-R2XV-4Q4J OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types

On OpenBao 2.5.4 and 2.5.2and likely earlier versions also, an authenticated caller with write access to transit/keys/ can crash the OpenBao server by issuing a single key-creation request that combines an asymmetric type rsa-, ecdsa-, ed25519 with derived: true. The server returns no HTTP respon...

GHSA-MWR2-WMGP-CRJ6 OpenBao's System Backend allows Unauthorized Management of the containing Namespace

Summary A user that is granted namespace management /sys/namespaces capabilities within a non-root namespace "the victim namespace" can abuse special handling of the literal path "root" in namespace path canonicalization to manage the victim namespace itself. Details Several endpoints under...

GHSA-C36X-H252-G9X2 OpenBao: Cross-namespace lease revocation/renewal via canonical sys/leases/{revoke,renew} — incomplete fix of CVE-2026-45808

Summary OpenBao users with access to the sys/leases/revoke/:leaseid endpoint in any namespace can revoke leases in any other namespace as long as the lease identifier is known to them, bypassing ACLs that should apply for cross-namespace revocations. Impact OpenBao's namespaces provide multi-tena...

GHSA-6MWX-4547-5VC9 OpenBao: LDAPi ldaputil (wrong escape func)

Description Component sdk/helper/ldaputil/client.go — the shared LDAP utility library used by both the LDAP authentication backend and OpenLDAP secrets engine to construct LDAP search filters and bind DNs. Root Cause The LDAP utility contains a function selection error that causes incorrect...

GHSA-5C7P-G73Q-RPG5 StarCitizenWiki Extension Embed Video: Stored XSS via malformed src url with $wgEmbedVideoRequireConsent enabled

Summary With $wgEmbedVideoRequireConsent enabled the default, the urls for videos are stored in a json-ified data attributedata-mw-iframeconfig. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for html/javascript injection. Details T...

ECHO-384F-89A4-EA70

Bulletin has no description...

GHSA-WWF9-7JRC-RV4Q Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure

Summary A Stored Cross-Site Scripting XSS issue previously existed in the Text Widget in Board of Outerbase Studio where unsanitized HTML could be rendered using dangerouslySetInnerHTML Steps to Reproduce 1. Create a new dashboard. 2. Add a Text widget. 3. Insert the following payload: html...

GHSA-CCV6-R384-XP75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Summary All components based on BaseFileComponent are vulnerable to the following vulnerability: 1. Docling DoclingInlineComponent 2. Docling Serve DoclingRemoteComponent 3. Read File FileComponent 4. NVIDIA Retriever Extraction NvidiaIngestComponent 5. Video File VideoFileComponent 6. Unstructur...

GHSA-QWQC-P3Q8-WCG9 Langflow: Unauthenticated DoS through multipart form boundary file upload

Summary An attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. Details...