π¨ CVE-2025-48023
A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation.
If affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.
The affected products and versions are as follows: Vnet/IP Interface Package (for CENTUM VP R6 VP6C3300, CENTUM VP R7 VP7C3300) R1.07.00 or earlier
π@cveNotify
A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation.
If affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.
The affected products and versions are as follows: Vnet/IP Interface Package (for CENTUM VP R6 VP6C3300, CENTUM VP R7 VP7C3300) R1.07.00 or earlier
π@cveNotify
π¨ CVE-2026-0872
Improper Certificate Validation vulnerability in Thales SafeNet Agent for Windows Logon on Windows allows Signature Spoofing by Improper Validation.This issue affects SafeNet Agent for Windows Logon: 4.0.0, 4.1.1, 4.1.2.
π@cveNotify
Improper Certificate Validation vulnerability in Thales SafeNet Agent for Windows Logon on Windows allows Signature Spoofing by Improper Validation.This issue affects SafeNet Agent for Windows Logon: 4.0.0, 4.1.1, 4.1.2.
π@cveNotify
Thalesgroup
Knowledge Article - Thales Support Portal
- Agent - Product Description The SafeNet Agent for Windows Logon is a Two-Factor Authentication (2FA) solution
π₯1
π¨ CVE-2025-33042
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
π@cveNotify
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
π@cveNotify
π¨ CVE-2026-2443
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
π@cveNotify
A flaw was identified in libsoup, a widely used HTTP library in GNOME-based systems. When processing specially crafted HTTP Range headers, the library may improperly validate requested byte ranges. In certain build configurations, this could allow a remote attacker to access portions of server memory beyond the intended response. Exploitation requires a vulnerable configuration and access to a server using the embedded SoupServer component.
π@cveNotify
π¨ CVE-2025-33042
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
π@cveNotify
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.
This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.
Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.
π@cveNotify
π¨ CVE-2024-43468
Microsoft Configuration Manager Remote Code Execution Vulnerability
π@cveNotify
Microsoft Configuration Manager Remote Code Execution Vulnerability
π@cveNotify
π¨ CVE-2025-59473
SQL Injection vulnerability in the Structure for Admin authenticated user
π@cveNotify
SQL Injection vulnerability in the Structure for Admin authenticated user
π@cveNotify
HackerOne
ExpressionEngine disclosed on HackerOne: SQL injection in structure...
Title: SQL Injection in Structure Plugin
Vulnerability: An SQL injection flaw was discovered in ExpressionEngine's Structure plugin, specifically in the delete_channels() function. User input from...
Vulnerability: An SQL injection flaw was discovered in ExpressionEngine's Structure plugin, specifically in the delete_channels() function. User input from...
π¨ CVE-2025-40536
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
π@cveNotify
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
π@cveNotify
π¨ CVE-2025-15556
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
π@cveNotify
Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user.
π@cveNotify
Community
Notepad++ v8.8.9: Vulnerability-fix
Notepad++ release 8.8.9 is available: https://notepad-plus-plus.org/news/v889-released/ Notepad++ v8.8.9 new security enhancement, new features, regression f...
π¨ CVE-2026-20700
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.
π@cveNotify
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 26.3, tvOS 26.3, macOS Tahoe 26.3, visionOS 26.3, iOS 26.3 and iPadOS 26.3. An attacker with memory write capability may be able to execute arbitrary code. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26. CVE-2025-14174 and CVE-2025-43529 were also issued in response to this report.
π@cveNotify
Apple Support
About the security content of iOS 26.3 and iPadOS 26.3 - Apple Support
This document describes the security content of iOS 26.3 and iPadOS 26.3.
π¨ CVE-2023-31313
An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting in arbitrary code execution.
π@cveNotify
An unintended proxy or intermediary in the AMD power management firmware (PMFW) could allow a privileged attacker to send malformed messages to the system management unit (SMU) potentially resulting in arbitrary code execution.
π@cveNotify
AMD
AMD Graphics Driver Vulnerabilities β February 2026
π¨ CVE-2025-49731
Improper handling of insufficient permissions or privileges in Microsoft Teams allows an authorized attacker to elevate privileges over a network.
π@cveNotify
Improper handling of insufficient permissions or privileges in Microsoft Teams allows an authorized attacker to elevate privileges over a network.
π@cveNotify
π¨ CVE-2025-49735
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
π@cveNotify
Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network.
π@cveNotify
π¨ CVE-2025-49737
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an authorized attacker to elevate privileges locally.
π@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an authorized attacker to elevate privileges locally.
π@cveNotify
π¨ CVE-2025-49756
Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
π@cveNotify
Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally.
π@cveNotify
π¨ CVE-2026-24763
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClawβs Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
π@cveNotify
OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClawβs Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29.
π@cveNotify
GitHub
fix(exec): prevent PATH injection in docker sandbox Β· openclaw/openclaw@771f23d
Your own personal AI assistant. Any OS. Any Platform. The lobster way. π¦ - fix(exec): prevent PATH injection in docker sandbox Β· openclaw/openclaw@771f23d
π¨ CVE-2026-25157
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.
π@cveNotify
OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29.
π@cveNotify
GitHub
OS Command Injection via Project Root Path in sshNodeCommand
Two related vulnerabilities existed in the macOS application's SSH remote connection handling (`CommandResolver.swift`):
## Details
The `sshNodeCommand` function constructed a shell scrip...
## Details
The `sshNodeCommand` function constructed a shell scrip...
β€1
π¨ CVE-2025-57785
A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.
π@cveNotify
A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution.
π@cveNotify
GitLab
Blame Β· src/xslt.c Β· master Β· Hugo Leisink / Hiawatha web server Β· GitLab
Hiawatha is an open source webserver with security, easy to use and lightweight as the three key features. Hiawatha supports among others (Fast)CGI, IPv6, URL rewriting and reverse...
π¨ CVE-2025-70368
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.
π@cveNotify
Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field.
π@cveNotify
GitHub
GitHub - Stolichnayer/CVE-2025-70368: Worklenz version 2.1.5 Stored Cross-Site Scripting (XSS)
Worklenz version 2.1.5 Stored Cross-Site Scripting (XSS) - Stolichnayer/CVE-2025-70368
π¨ CVE-2026-0810
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
π@cveNotify
A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences.
π@cveNotify
π¨ CVE-2026-23864
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
π@cveNotify
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.
π@cveNotify