π¨ CVE-2026-40492
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
π@cveNotify
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the XWD codec resolves pixel format based on `pixmap_depth` but the byte-swap code uses `bits_per_pixel` independently. When `pixmap_depth=8` (BPP8_INDEXED, 1 byte/pixel buffer) but `bits_per_pixel=32`, the byte-swap loop accesses memory as `uint32_t*`, reading/writing 4x the allocated buffer size. This is a different vulnerability from the previously reported GHSA-3g38-x2pj-mv55 (CVE-2026-27168), which addressed `bytes_per_line` validation. Commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02 contains a patch.
π@cveNotify
GitHub
XWD: Fix handling invalid bpp reported in GHSA-526v-vm72-4v64 Β· HappySeaFox/sail@36aa5c7
β΅The missing fast imaging library for humans (not for machines). - XWD: Fix handling invalid bpp reported in GHSA-526v-vm72-4v64 Β· HappySeaFox/sail@36aa5c7
π¨ CVE-2026-40493
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
π@cveNotify
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the PSD codec computes bytes-per-pixel (`bpp`) from raw header fields `channels * depth`, but the pixel buffer is allocated based on the resolved pixel format. For LAB mode with `channels=3, depth=16`, `bpp = (3*16+7)/8 = 6`, but the format `BPP40_CIE_LAB` allocates only 5 bytes per pixel. Every pixel write overshoots, causing a deterministic heap buffer overflow on every row. Commit c930284445ea3ff94451ccd7a57c999eca3bc979 contains a patch.
π@cveNotify
GitHub
PSD: Added support BPP48-CIE-LAB reported in GHSA-rcqx-gc76-r9mv Β· HappySeaFox/sail@c930284
β΅The missing fast imaging library for humans (not for machines). - PSD: Added support BPP48-CIE-LAB reported in GHSA-rcqx-gc76-r9mv Β· HappySeaFox/sail@c930284
π¨ CVE-2026-40494
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
π@cveNotify
SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the TGA codec's RLE decoder in `tga.c` has an asymmetric bounds check vulnerability. The run-packet path (line 297) correctly clamps the repeat count to the remaining buffer space, but the raw-packet path (line 305-311) has no equivalent bounds check. This allows writing up to 496 bytes of attacker-controlled data past the end of a heap buffer. Commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302 patches the issue.
π@cveNotify
GitHub
TGA: Fixed buffer overflow reported in GHSA-cp2j-rwh4-r46f Β· HappySeaFox/sail@45d48d1
β΅The missing fast imaging library for humans (not for machines). - TGA: Fixed buffer overflow reported in GHSA-cp2j-rwh4-r46f Β· HappySeaFox/sail@45d48d1
π¨ CVE-2026-31987
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
π@cveNotify
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
π@cveNotify
GitHub
JWT tokens appearing in task logs Β· Issue #62428 Β· apache/airflow
Apache Airflow version 3.1.7 If "Other Airflow 3 version" selected, which one? No response What happened? in task logs, JWT tokens are being exposed. hers is an example: {"timestamp&...
π¨ CVE-2026-37100
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via the Sound Bar Remote protocol
π@cveNotify
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio range to connect without authentication via the Sound Bar Remote protocol
π@cveNotify
Gist
Yamaha SR-B30A BLE Unauthorized Control Vulnerability
Yamaha SR-B30A BLE Unauthorized Control Vulnerability - gist:02699fbbdff90e6c2078b508f830022b
π¨ CVE-2026-5426
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
π@cveNotify
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks
π@cveNotify
GitHub
Vulnerability-Disclosures/2026/MNDT-2026-0009.md at master Β· mandiant/Vulnerability-Disclosures
Contribute to mandiant/Vulnerability-Disclosures development by creating an account on GitHub.
π¨ CVE-2026-41080
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
π@cveNotify
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
π@cveNotify
GitHub
Find strategy on getting 16 bytes of entropy and existing API (XML_SetHashSalt) together Β· Issue #47 Β· libexpat/libexpat
Since version 2.1.0 Expat has a function int XML_SetHashSalt(XML_Parser parser, unsigned long hash_salt) to provide sizeof(unsigned long) custom entropy bytes to Expat. Now SipHash introduced with ...
π¨ CVE-2026-4541
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
π@cveNotify
A flaw has been found in janmojzis tinyssh up to 20250501. Impacted is an unknown function of the file tinyssh/crypto_sign_ed25519_tinyssh.c of the component Ed25519 Signature Handler. This manipulation causes improper verification of cryptographic signature. The attack is restricted to local execution. The attack's complexity is rated as high. The exploitability is considered difficult. The exploit has been published and may be used. Upgrading to version 20260301 is recommended to address this issue. Patch name: 9c87269607e0d7d20174df742accc49c042cff17. Upgrading the affected component is recommended.
π@cveNotify
GitHub
GitHub - janmojzis/tinyssh: TinySSH is small server (less than 100000 words of code)
TinySSH is small server (less than 100000 words of code) - janmojzis/tinyssh
π¨ CVE-2026-4542
A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the argument filePaths leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability has been found in SSCMS 4.7.0. The affected element is an unknown function of the file LayerImageController.Submit.cs of the component layerImage Endpoint. Such manipulation of the argument filePaths leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
π@cveNotify
Vulnerability Database
CVE-2026-4542 SSCMS layerImage Endpoint LayerImageController.Submit.cs path traversal
A vulnerability has been found in SSCMS 4.7.0. This vulnerability is listed as CVE-2026-4542.
π¨ CVE-2026-4568
A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /update_supplier.php of the component HTTP GET Request Handler. The manipulation of the argument sid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
π@cveNotify
A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown function of the file /update_supplier.php of the component HTTP GET Request Handler. The manipulation of the argument sid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
π@cveNotify
GitHub
Web-Security-PoCs/Inventory-System/SQLi-UpdateSupplier-sid.md at main Β· meifukun/Web-Security-PoCs
Contribute to meifukun/Web-Security-PoCs development by creating an account on GitHub.
π¨ CVE-2026-4581
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
π@cveNotify
A weakness has been identified in code-projects Simple Laundry System 1.0. Affected is an unknown function of the file /checklogin.php of the component Parameters Handler. This manipulation of the argument Username causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.
π@cveNotify
π¨ CVE-2026-4582
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the local network. Attacks of this nature are highly complex. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A security vulnerability has been detected in Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N. Affected by this vulnerability is an unknown functionality of the component Bluetooth. Such manipulation leads to missing authentication. The attack must be carried out from within the local network. Attacks of this nature are highly complex. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
m6plusexploit/docs/CVE-1-Authentication.md at main Β· Davim09/m6plusexploit
This repository documents three critical security vulnerabilities discovered in the M6PLUS mobile payment terminal's Bluetooth communication protocol. These vulnerabilities affect M6PLUS te...
π¨ CVE-2026-4589
A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability was identified in kalcaddle kodbox 1.64. The affected element is the function PathDriverUrl of the file /workspace/source-code/app/controller/explorer/editor.class.php of the component fileGet Endpoint. Such manipulation of the argument path leads to server-side request forgery. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
Vulnerability Database
CVE-2026-4589 kalcaddle kodbox fileGet Endpoint editor.class.php PathDriverUrl server-side request forgery
A vulnerability was identified in kalcaddle kodbox 1.64. This vulnerability is traded as CVE-2026-4589.
π¨ CVE-2026-41253
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
π@cveNotify
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conductor encoding path, such as a pathname with an initial ace/c+ substring, aka "hypothetical in-band signaling abuse." This occurs because iTerm2 accepts the SSH conductor protocol from terminal output that does not originate from a legitimate conductor session.
π@cveNotify
blog.calif.io
MAD Bugs: Even "cat readme.txt" is not safe
Turning "cat readme.txt" into arbitrary code execution in iTerm2.
π¨ CVE-2026-25917
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
π@cveNotify
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.
Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
π@cveNotify
GitHub
Improve xcom value handling in extra links API by amoghrajesh Β· Pull Request #61641 Β· apache/airflow
Was generative AI tooling used to co-author this PR?
No
Updating the extra links API to now use stringify to convert XCom values to human-readable format while trying to get a link in &quo...
No
Updating the extra links API to now use stringify to convert XCom values to human-readable format while trying to get a link in &quo...
π¨ CVE-2026-30898
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.
π@cveNotify
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advice.
π@cveNotify
GitHub
Docs: Fix inconsistency in documents when using `BashOperator` with Jinja templating by sjyangkevin Β· Pull Request #64129 Β· apache/airflow
Why
The BashOperator document has a warning about passing dag_run.conf directly into the bash_command. This usage is not suggested. However, in the Core Concepts - Dag Run document, the example use...
The BashOperator document has a warning about passing dag_run.conf directly into the bash_command. This usage is not suggested. However, in the Core Concepts - Dag Run document, the example use...
π¨ CVE-2026-30912
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
π@cveNotify
In case of SQL errors, exception/stack trace of errors was exposed in API even if "api/expose_stack_traces" was set to false. That could lead to exposing additional information to potential attacker. Users are recommended to upgrade to Apache Airflow 3.2.0, which fixes the issue.
π@cveNotify
GitHub
Updates exception to hide sql statements on constraint failure by aritra24 Β· Pull Request #63028 Β· apache/airflow
The exception handler now hides the sql statement when the expose stacktrace flag is false.
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read ...
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read ...
π¨ CVE-2026-32228
UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
π@cveNotify
UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
π@cveNotify
GitHub
Add additional permission check in asset materialization by pierrejeambrun Β· Pull Request #63338 Β· apache/airflow
Enforce 'can trigger dag run' on the asset materialization endpoint.
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read the Pul...
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read the Pul...
π¨ CVE-2026-32690
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.
If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
π@cveNotify
Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.
If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented
π@cveNotify
GitHub
Use default max depth to redact Variable by sjyangkevin Β· Pull Request #63480 Β· apache/airflow
Remove max depth setting to redact Variable, this will make it use default.
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read the Pull Request Gu...
Was generative AI tooling used to co-author this PR?
Yes (please specify the tool below)
Read the Pull Request Gu...
π¨ CVE-2026-41254
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
π@cveNotify
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
π@cveNotify
Abhinav Agarwal
A 992-Byte PDF That Crashes Poppler (and an lcms2 Bug That Also Hits OpenJDK and Friends)
lcms2βs CubeSize() does a check-after-multiply on a uint32. A crafted ICC profile with β₯5 CLUT channels makes it return a wrapped value, the caller undersizes the CLUT buffer, and the interpolator reads past the end. A 992-byte PDF crashes Poppler; a oneβ¦