π¨ CVE-2026-14454
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.
Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.
An attacker could craft an image with EXIF data that terminates a worker process.
π@cveNotify
Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.
Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.
An attacker could craft an image with EXIF data that terminates a worker process.
π@cveNotify
π¨ CVE-2026-15053
Tanium addressed a denial of service vulnerability in Tanium Server.
π@cveNotify
Tanium addressed a denial of service vulnerability in Tanium Server.
π@cveNotify
π¨ CVE-2026-56297
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.
π@cveNotify
FreeRDP before 3.22.0 contains a use-after-free vulnerability in dvcman_channel_close and dvcman_call_on_receive due to improper synchronization of channel_callback access. A malicious RDP server can trigger a race condition by sending DYNVC_DATA and DYNVC_CLOSE messages concurrently, causing heap-use-after-free in the drdynvc client thread and potentially enabling remote code execution or denial of service.
π@cveNotify
GitHub
Use After Free and Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in FreeRDP
Summary
...
...
π¨ CVE-2026-10706
In Adaloβs no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.
π@cveNotify
In Adaloβs no-code app builder, (Versions 1 and 2) the attackers may extract full user records and correlate user behavior across multiple applications via dbId enumeration. The platform does not implement data minimization, privacy by design, or implement appropriate technical safeguards, allowing sensitive information to be exposed to unauthorized parties.
π@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#849433
Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
π¨ CVE-2026-10708
This vulnerability enables largeβscale data harvesting without requiring appβspecific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, longβlived twentyβday JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.
π@cveNotify
This vulnerability enables largeβscale data harvesting without requiring appβspecific secrets. A single request to a minimal leaderboard component may return user records containing emails, UUIDs, and custom fields. The combination of wildcard CORS behavior, longβlived twentyβday JWTs, and the absence of token revocation allows attackers to gather sensitive personal information from any Adalo application.
π@cveNotify
kb.cert.org
CERT/CC Vulnerability Note VU#849433
Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
π¨ CVE-2026-54344
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
π@cveNotify
ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.
π@cveNotify
GitHub
Unauthenticated Secret Exfiltration via Comment Body Shell Injection in ToolJet/ToolJet
## Summary
The `ToolJet/ToolJet` repository's GitHub Actions workflow `render-preview-deploy.yml` injects `${{ github.event.comment.body }}` directly into a bash conditional in a `run:` step...
The `ToolJet/ToolJet` repository's GitHub Actions workflow `render-preview-deploy.yml` injects `${{ github.event.comment.body }}` directly into a bash conditional in a `run:` step...
π¨ CVE-2026-55761
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.
π@cveNotify
Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. In versions 2.39.0 through 2.39.3 and 2.40.0 until 2.43.0, unauthenticated restore and administrator initialization endpoints (/api/restore and /api/users/admin/init) remain accessible during the five-minute setup window for uninitialized instances, allowing a network attacker to restore a crafted backup or create the first administrator account and gain full administrative access. This issue is fixed in versions 2.39.4 and 2.43.0.
π@cveNotify
GitHub
feat(security): require setup token for admin init and restore [BE-13β¦ Β· portainer/portainer@49f1910
β¦029] (#2836)
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Claude <noreply@anthropic.com>
π¨ CVE-2026-59261
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.
π@cveNotify
OpenClaw before 2026.5.28 contains a credential exposure vulnerability where workspace dotenv files can override provider credentials. Attackers with lower-trust access to configured input paths can expose sensitive data and credentials that should remain within trusted boundaries.
π@cveNotify
GitHub
Workspace dotenv files could override provider credentials
### Summary
Workspace dotenv files could override provider credentials. In affected versions, a lower-trust caller or configured input path could expose data or credentials that should have remain...
Workspace dotenv files could override provider credentials. In affected versions, a lower-trust caller or configured input path could expose data or credentials that should have remain...
π¨ CVE-2026-59883
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
π@cveNotify
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3.
π@cveNotify
GitHub
Treat IP cookie domains as exact-only (#3694) Β· guzzle/guzzle@b9944c1
Guzzle, an extensible PHP HTTP client. Contribute to guzzle/guzzle development by creating an account on GitHub.
π¨ CVE-2026-59922
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(formatting): avoid quadratic marker scans Β· lepture/mistune@96d0f57
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(formatting): avoid quadratic marker scans Β· lepture/mistune@96d0f57
π¨ CVE-2026-59923
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, HTMLRenderer.safe_url() does not block percent-encoded javascript URIs, allowing attacker-supplied Markdown links or images to bypass URL protections and execute script in rendered HTML. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(renderer): block encoded unsafe URL schemes Β· lepture/mistune@c7101fc
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(renderer): block encoded unsafe URL schemes Β· lepture/mistune@c7101fc
π¨ CVE-2026-59924
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse() joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory when markdown files are processed using md.read(). This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(directives): constrain include targets Β· lepture/mistune@1bef343
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(directives): constrain include targets Β· lepture/mistune@1bef343
π¨ CVE-2026-59925
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
refactor: refactor on parser, support all commonmark rules Β· lepture/mistune@5de41fb
A fast yet powerful Python Markdown parser with renderers and plugins. - refactor: refactor on parser, support all commonmark rules Β· lepture/mistune@5de41fb
π¨ CVE-2026-59926
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_admonition() in src/mistune/directives/admonition.py concatenates the Admonition directive :class: option into the HTML class attribute without escaping, allowing attribute injection and cross-site scripting even when HTMLRenderer escape mode is enabled. This issue is fixed in version 3.2.1.
π@cveNotify
GitHub
fix: escape html text Β· lepture/mistune@a3cb6e5
A fast yet powerful Python Markdown parser with renderers and plugins. - fix: escape html text Β· lepture/mistune@a3cb6e5
π¨ CVE-2026-59928
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(block): avoid quadratic ref link scans Β· lepture/mistune@2b04d7b
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(block): avoid quadratic ref link scans Β· lepture/mistune@2b04d7b
π¨ CVE-2026-59929
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the safe_url filter in src/mistune/renderers/html.py blocks only javascript:, vbscript:, file:, and data: schemes, allowing legacy or chained schemes such as feed:, view-source:, jar:, livescript:, mocha:, ms-its:, mk:, and res: to reach rendered href and src attributes and potentially execute script in affected user agents. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(renderer): block encoded unsafe URL schemes Β· lepture/mistune@c7101fc
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(renderer): block encoded unsafe URL schemes Β· lepture/mistune@c7101fc
π¨ CVE-2026-59930
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.
π@cveNotify
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0.
π@cveNotify
GitHub
fix(toc): avoid generated id collisions Β· lepture/mistune@c4093c4
A fast yet powerful Python Markdown parser with renderers and plugins. - fix(toc): avoid generated id collisions Β· lepture/mistune@c4093c4
π¨ CVE-2026-50812
A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occurs when sqlite3changeset_apply_v3() applies a corrupt changeset and reaches sqlite3_value_type() with a NULL sqlite3_value pointer.
π@cveNotify
A NULL pointer dereference in the SQLite Session Extension in SQLite 3.53.1 and SQLite trunk builds before check-in e807d4e3798efd53 allows an attacker who can supply a malformed changeset blob to cause a denial of service. The issue occurs when sqlite3changeset_apply_v3() applies a corrupt changeset and reaches sqlite3_value_type() with a NULL sqlite3_value pointer.
π@cveNotify
Gist
gist:bb556f333957c5226dede314db0e9e91
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2026-50813
An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path
π@cveNotify
An issue in SQLite before Fossil check-in 869a51ae84df allows a local attacker to obtain sensitive information via the Session Extension changeset concat/changegroup merge path
π@cveNotify
Gist
gist:f8acb66bafb80134c8e1a1c8c7c9f4f4
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2026-58501
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.
π@cveNotify
Zeep is a Python SOAP client. From 4.0.0 before 4.3.3, Settings.forbid_external is defined but not enforced when parsing WSDL or XSD documents, allowing transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker-chosen HTTP or HTTPS URLs. This issue is fixed in version 4.3.3.
π@cveNotify
GitHub
Wire up forbid_external setting to block transitive remote loads Β· mvantellingen/python-zeep@83eb07b
The forbid_external setting was defined but unused since the move off
defusedxml in 4.0. When enabled it now refuses to transitively fetch
http/https resources via xsd:import, xsd:include, wsdl:imp...
defusedxml in 4.0. When enabled it now refuses to transitively fetch
http/https resources via xsd:import, xsd:include, wsdl:imp...
π¨ CVE-2026-15170
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
π@cveNotify
Z39.50 protocol dissector crash in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service
π@cveNotify
GitLab
[Security] Z39.50 MARC21 dissector: heap overflow (directory entry count floor/ceil mismatch) in dissect_marc_record() (ANT-2026β¦
I am writing to report a heap-buffer-overflow (write) that is triggerable by way of the Wireshark fuzzing harness fuzzshark There is a slight patch needed on