π¨ CVE-2026-3652
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
π@cveNotify
The ARForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `value` parameter of the `arf_save_incomplete_form_data` AJAX action in all versions up to, and including, 7.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that will execute whenever an administrator views the "Partial Filled Form Entries" page in the ARForms dashboard.
π@cveNotify
CodeCanyon
WordPress Contact Form Plugin/Form builder - ARForms
Top Selling WordPress Form Builder Plugin
ARForms is top selling WordPress form builder plugin of 2025. Build finest respons...
ARForms is top selling WordPress form builder plugin of 2025. Build finest respons...
π¨ CVE-2026-12485
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
π@cveNotify
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### IP field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v3 = strlen(g_network_config->ip_addr);
memcpy(&reply_buf[36], g_network_config->ip_addr, v3);
π@cveNotify
π¨ CVE-2026-12488
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.
A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.
π@cveNotify
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2.
A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.
π@cveNotify
π¨ CVE-2026-12846
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Net Mask field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);
π@cveNotify
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Net Mask field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v6 = strlen(g_network_config->net_mask);
memcpy(&reply_buf[184], g_network_config->net_mask, v6);
π@cveNotify
π¨ CVE-2026-12847
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Gateway field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v7 = strlen(g_network_config->gateway);
memcpy(&reply_buf[216], g_network_config->gateway, v7);
π@cveNotify
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### Gateway field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v7 = strlen(g_network_config->gateway);
memcpy(&reply_buf[216], g_network_config->gateway, v7);
π@cveNotify
π¨ CVE-2026-12848
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### DNS field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v8 = strlen(g_network_config->dns_addr);
memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
π@cveNotify
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.
DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.
Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:
#### DNS field stack overflow
The following code is vulnerable to a stack overflow that is attacker-controlled:
v8 = strlen(g_network_config->dns_addr);
memcpy(&reply_buf[248], g_network_config->dns_addr, v8);
π@cveNotify
π¨ CVE-2026-12849
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Net_Mask command injection
The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = netmask_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr
system(v4);
return 1;
}
π@cveNotify
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Net_Mask command injection
The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)
{
bool v2; // zf
char v4[72]; // [sp+0h] [bp-48h] BYREF
v2 = *this == 0;
if ( *this )
v2 = netmask_addr == 0;
if ( v2 )
return 0;
sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr
system(v4);
return 1;
}
π@cveNotify
π¨ CVE-2026-12850
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Gate_way command injection
The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
return 1;
}
π@cveNotify
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_Gate_way command injection
The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)
{
char s[324]; // [sp+4h] [bp-144h] BYREF
if ( !dev && !*this || !gw )
return 0;
system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");
system("/sbin/route del default ");
if ( dev )
sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string
else
sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string
system(s);
return 1;
}
π@cveNotify
π¨ CVE-2026-12851
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_DNS_Addr command injection
The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)
{
int result; // r0
char v5[80]; // [sp+0h] [bp-50h] BYREF
if ( !dns1 )
result = 0;
if ( dns1 )
{
sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field
system(v5);
if ( dns2 )
{
sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);
system(v5);
}
return 1;
}
return result;
π@cveNotify
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.
`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)
#### CNetSetObj::m_F_n_Set_DNS_Addr command injection
The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.
int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)
{
int result; // r0
char v5[80]; // [sp+0h] [bp-50h] BYREF
if ( !dns1 )
result = 0;
if ( dns1 )
{
sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field
system(v5);
if ( dns2 )
{
sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);
system(v5);
}
return 1;
}
return result;
π@cveNotify
π¨ CVE-2026-10735
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
π@cveNotify
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.
π@cveNotify
WPScan
ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server
See details on ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server CVE 2026-10735. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2026-10749
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
π@cveNotify
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.
π@cveNotify
WPScan
Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData
See details on Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData CVE 2026-10749. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2026-10753
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
π@cveNotify
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.
π@cveNotify
WPScan
Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update
See details on Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update CVE 2026-10753. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2026-12100
The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
π@cveNotify
The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
π@cveNotify
π¨ CVE-2025-71354
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.
π@cveNotify
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.
π@cveNotify
GitHub
Missing detection when calling built-in python idlelib.debugobj.ObjectTreeItem
### Summary
Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload executes in the followi...
Using idlelib.debugobj.ObjectTreeItem.SetText, which is a built-in python library function to execute remote pickle file.
### Details
The attack payload executes in the followi...
π¨ CVE-2026-12242
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.
π@cveNotify
The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the 'banner' attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings.
π@cveNotify
π¨ CVE-2026-13163
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
π@cveNotify
Open redirect vulnerability (CWE-601) in the _safe_redirect function of the click-tracking endpoint (/c/<token>/) in Mailerup <1.0.0 on all platforms allows remote unauthenticated attackers to redirect victims to arbitrary external sites and conduct phishing attacks via a crafted u query parameter, because the URL scheme is validated (blocking javascript: and data:) but the destination host is not restricted to an allowlist, and a signing.BadSignature exception is silently caught so a valid signed token is not required.
π@cveNotify
GitHub
fix(seguridad): cerrar registro anΓ³nimo, fuga de API keys e inyecciones Β· Maalfer/mailerup@99eb6d4
Control de acceso:
- Eliminar RegisterView/RegisterSerializer y la ruta pΓΊblica /api/auth/register/.
Las cuentas solo las crea el admin (/api/auth/users/, IsAdminUser) o
createsuperuser. Cierra...
- Eliminar RegisterView/RegisterSerializer y la ruta pΓΊblica /api/auth/register/.
Las cuentas solo las crea el admin (/api/auth/users/, IsAdminUser) o
createsuperuser. Cierra...
π¨ CVE-2026-12537
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
π@cveNotify
Improper Neutralization used in an OS Command in the container launcher in Google Gemini CLI (versions prior to 0.39.1) and run-gemini-cli GitHub Action (versions prior to 0.1.22) on headless CI platforms allows an unprivileged attacker to achieve pre-sandbox host-level code execution a maliciously crafted .gemini/.env file.
π@cveNotify
GitHub
Update to Gemini CLI and run-gemini-cli Trust Model
# Summary
Gemini CLI (`@google/gemini-cli`) and the `run-gemini-cli` GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environ...
Gemini CLI (`@google/gemini-cli`) and the `run-gemini-cli` GitHub Action are being updated to harden workspace trust and tool allowlisting, in particular when used in untrusted environ...
π¨ CVE-2026-35025
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
π@cveNotify
ProFTPD through 1.3.9b and 1.3.10rc2 contains an access control bypass vulnerability that allows authenticated FTP users to circumvent Directory ACL restrictions by prefixing paths with /proc/self/root in the RNFR command handler. Attackers can exploit the unresolved symlink components in dir_canonical_path() to cause dir_check() to perform lexical path comparisons that match no configured Directory block, enabling rename operations on files in DenyAll-protected directories and subsequent retrieval of those files. Mitigation: Sessions configured with DefaultRoot (chroot) are not affected, as chroot changes the directory to which /proc/self/root resolves.
π@cveNotify
www.proftpd.org
The ProFTPD Project: Home
The Official ProFTPD web site. ProFTPD is a high-performance, extremely configurable, and most of all a secure FTP server, featuring Apache-like configuration and blazing performance.
π¨ CVE-2026-42450
OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.
π@cveNotify
OpenColorIO is a color management framework for visual effects and animation. Prior to version 2.5.2, `FileFormatSpi3D.cpp:163` uses `sscanf` with `%s` into 64-byte stack buffers when parsing LUT data lines. Input comes from `lineBuffer[4096]`, so a crafted .spi3d file can overflow by ~4000 bytes on non-Windows. Version 2.5.2 fixes the issue.
π@cveNotify
GitHub
Release v2.5.2 Β· AcademySoftwareFoundation/OpenColorIO
This is a bug-fix and security release that addresses CVE-2026-42450 and the other issues described below. It is ABI compatible with 2.5.1.
CVE-2026-42450 affects all prior OCIO 1.x and 2.x version...
CVE-2026-42450 affects all prior OCIO 1.x and 2.x version...
π¨ CVE-2026-57280
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
π@cveNotify
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
π@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software
π¨ CVE-2026-57281
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
π@cveNotify
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
π@cveNotify
Jenkins Security Advisory 2026-06-24
Jenkins β an open source automation server which enables developers around the world to reliably build, test, and deploy their software