•about 4 hours ago•CVE-2026-45369
10.0CVE-2026-45369: OS Command Injection in python-utcp CLI Protocol
CVE-2026-45369 is a critical OS command injection vulnerability in the python-utcp library resulting from unsafe argument substitution in the CLI communication protocol. Unauthenticated attackers can execute arbitrary shell commands via specially crafted tool arguments.
6 views•7 min read
•about 5 hours ago•CVE-2026-45370
7.7CVE-2026-45370: Environment Variable Leak in python-utcp CLI Subprocesses
The python-utcp library improperly exposes the host application's full environment variables to spawned subprocesses via os.environ.copy(). When combined with an existing command injection flaw, attackers can exfiltrate all host secrets in a single request.
5 views•6 min read
•about 5 hours ago•CVE-2026-45411
9.8CVE-2026-45411: Remote Code Execution via Sandbox Escape in vm2 Async Generator Implementation
CVE-2026-45411 is a critical sandbox breakout vulnerability in the vm2 library for Node.js, allowing attackers to achieve remote code execution on the host system. The flaw stems from an inconsistency in how the V8 JavaScript engine handles async generators during delegation and abrupt completions, enabling an attacker to smuggle a host-realm error object into the sandbox.
4 views•8 min read
•about 8 hours ago•GHSA-7RX4-C5VX-G8W3
8.6GHSA-7RX4-C5VX-G8W3: Server-Side Request Forgery Bypass in Karakeep Metadata Extraction Workers
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the Karakeep metadata extraction process prior to version 0.32.0. The flaw allows attackers to bypass primary URL validation and target internal network resources or cloud metadata services via crafted webpage metadata.
5 views•5 min read
•about 9 hours ago•GHSA-9M65-766C-R333
7.1GHSA-9M65-766C-R333: Type Confusion in Seroval Leading to Unintended Function Execution in TanStack Start
A type confusion vulnerability in the `seroval` deserialization library (CWE-843) exposes TanStack Start server functions to unintended sibling function invocation. Upstream, this flaw can lead to remote code execution (CVE-2026-23737).
6 views•6 min read
•about 11 hours ago•GHSA-7G73-99R4-M4MJ
7.5GHSA-7G73-99R4-M4MJ: Credential Data Leak in FlowiseAI API Responses
FlowiseAI versions prior to 3.1.2 suffer from a CWE-200 Information Exposure vulnerability. The application's credential management API inadvertently returns the `encryptedData` field containing ciphertext for sensitive integrations in its JSON responses.
5 views•5 min read
•about 12 hours ago•CVE-2026-42793
8.2CVE-2026-42793: Unauthenticated Remote Denial of Service in Absinthe GraphQL via Atom Exhaustion
CVE-2026-42793 is a critical resource exhaustion vulnerability in the Absinthe GraphQL library for Elixir. Unauthenticated attackers can exploit unsafe atom creation during Schema Definition Language (SDL) parsing to trigger a system-wide crash of the Erlang Virtual Machine (BEAM).
5 views•6 min read
•about 13 hours ago•CVE-2026-43967
8.7CVE-2026-43967: Denial of Service via Algorithmic Complexity in Absinthe GraphQL Fragment Validation
Absinthe, an Elixir GraphQL toolkit, is vulnerable to a Denial of Service (DoS) condition due to inefficient algorithmic complexity in its document validation phase. Unauthenticated attackers can exhaust server resources by submitting GraphQL requests with heavily duplicated fragment definitions.
6 views•6 min read
•about 13 hours ago•CVE-2026-8178
8.1CVE-2026-8178: Remote Code Execution via Unsafe Reflection in Amazon Redshift JDBC Driver
The Amazon Redshift JDBC Driver prior to version 2.2.2 contains a remote code execution vulnerability. The driver processes connection properties beginning with the `datatype.` prefix by passing the user-supplied value to `Class.forName()`. This allows attackers who control JDBC connection strings to load arbitrary classes and execute malicious code via static initializers within the application's JVM context.
5 views•7 min read
•about 20 hours ago•CVE-2026-42945
8.1CVE-2026-42945: Heap-based Buffer Overflow in NGINX ngx_http_rewrite_module
A heap-based buffer overflow vulnerability exists in the NGINX ngx_http_rewrite_module due to an inconsistency in the two-pass script execution engine. Discovered by depthfirst, this flaw allows unauthenticated remote attackers to trigger memory corruption under specific configuration conditions, resulting in denial of service or remote code execution.
188 views•8 min read
•1 day ago•GHSA-VW82-7FV8-R6GP
9.3GHSA-vw82-7fv8-r6gp: Authorization Bypass in Obot MCP Gateway via Insecure Route Configuration
An authorization bypass vulnerability in the Obot MCP Gateway allows authenticated users to access arbitrary Model Context Protocol (MCP) servers without possessing the required Access Control Rules (ACR) or ownership privileges, leading to unauthorized interaction with external tools and data sources.
8 views•7 min read
•1 day ago•GHSA-V25J-WQCW-FVHJ
7.5GHSA-V25J-WQCW-FVHJ: Uncontrolled Resource Consumption via Unbounded Date Sequences in wger
wger is susceptible to an authenticated Denial of Service (DoS) vulnerability due to uncontrolled resource consumption (CWE-400). The flaw resides in the application's handling of date sequences within routine configurations, allowing authenticated attackers to exhaust server resources by defining enormous date ranges.
8 views•5 min read