Archive 2026
Polly 8.7.0 Released
Release of Polly version 8.7.0, a .NET resilience and transient-fault-handling library.
.NET Blog Announces .NET Day of Agentic Modernization Livestream
Announced .NET Day of Agentic Modernization Livestream event.
Vue 3.5.36 released
Vue 3.5.36 is a new version of the progressive JavaScript framework for building modern web UI.
Vue 3.5.37 Patch Release
Vue 3.5.37 is a patch release of the progressive JavaScript framework for building modern web UI.
Vue 3.5.38 Released
Vue 3.5.38 is now available. This is a release of the progressive JavaScript framework for building modern web UI.
@hulumi/baseline < 1.4.0: GuardDuty and Security Hub reuse bugs fixed
In @hulumi/baseline < 1.4.0, AccountFoundation's reuse mode for GuardDuty and Security Hub had two bugs: (1) GuardDuty reuse did n
@papra/webhooks SSRF Protection Bypass via Redirect Following
The webhook delivery HTTP client follows redirects without validating the redirect target against the blocklist, enabling authenti
vLLM: Revision pinning does not propagate to all artifact load paths
Revision pinning in vLLM does not consistently apply to all artifacts loaded for a model.
litestar AllowedHostsMiddleware trusts X-Forwarded-Host when Host header missing
AllowedHostsMiddleware trusts the X-Forwarded-Host header when the Host header is absent, allowing bypass of host validation.
PDM writes project-local files without symlink protection, allowing arbitrary file clobber
PDM writes project-local state/configuration files (pdm.
@hulumi/policies: AWS IAM trust policy multi-provider detection fix
AWS IAM trust policies listing multiple federated identity providers (e.
@hulumi/policies <1.4.0 URN Spoofing Vulnerability
A security vulnerability in @hulumi/policies <1.
@hulumi/policies <1.4.0: HULUMI-H5 exemption validation bypass
HULUMI-H5 policy in @hulumi/policies <1.
@hulumi/baseline: Audit log S3 bucket immutability bypass in AccountFoundation
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on star
@hulumi/drift: classifier bugs mask attacks and fire false positives
Two bugs in @hulumi/drift classifier: (1) adapter failures were cached as 'all clear' (None/none) for 6 hours, masking real attack
litestar: CSRF cookie XSS via unsafe template pattern
Litestar instances using templates with CSRF protection are vulnerable to HTML injection leading to XSS because the CSRF cookie co
baileys: Message spoofing via placeholderResendMessage
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sy
pdm: Path traversal in InstallDestination.write_to_fs() allows arbitrary file write
InstallDestination.write_to_fs() in src/pdm/installers/installers.py overrides the base class to add symlink/hardlink support but
.NET 11 Preview 5 Released with New Features
.NET 11 Preview 5 is out, bringing updates to the runtime, SDK, libraries, ASP.NET Core, .NET MAUI, C#, Entity Framework Core, and
dotnet/runtime v8.0.28: WebSocket fix, JIT fix, CRL cache, QUIC update
Release v8.0.28 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket Server now denies unmasked frame recei
dotnet/runtime v9.0.17: WebSocket fix, JIT bug fix, MsQuic update, CRL cache
Release v9.0.17 of dotnet/runtime includes multiple fixes and dependency updates: WebSocket server now denies unmasked frame recei
dotnet/runtime v10.0.9: Bug fixes, optimizations, and dependency updates
Release v10.0.9 includes fixes for docker compose, MetaDataGetDispenser linking in singlefilehost, IJW OverflowException with 17+
symfony/runtime: Incomplete CVE-2024-50340 fix allows argv injection via web SAPI
The original fix for CVE-2024-50340 gated argv reading on empty($_GET).
pheditor: OS Command Injection in Terminal Handler
An OS Command Injection vulnerability was discovered in pheditor's terminal handler.
laravel/framework v13.12.0 released
Version 13.12.0 of laravel/framework has been released on Packagist.
laravel/framework v12.61.0 released
Release of version 12.61.0 of the laravel/framework package on Packagist.
Vue 3.5.35 Patch Release
Patch version 3.5.35 of the progressive JavaScript framework Vue.js has been released.
guzzlehttp/guzzle 7.10.5 Released
Release of version 7.10.5 for guzzlehttp/guzzle.
symfony/http-foundation v8.1.0 released
Version v8.1.0 of symfony/http-foundation provides an object-oriented layer for the HTTP specification.
symfony/console v8.1.0: New Release with Improved CLI Creation
New release of symfony/console v8.
Vite 8.0.15 released
Version 8.0.15 of Vite, a native-ESM powered web dev build tool, was released.
Vite 8.0.16 released
Version 8.0.16 of Vite, a native-ESM powered web dev build tool, was released.
guzzlehttp/guzzle 7.10.6 released
Version 7.10.6 of guzzlehttp/guzzle was released.
Node.js Blog: Node.js v26.3.0 Released
Node.js v26.3.0 is out with notable changes, commits, and contributor updates.
React 19.0.7 Patch Release
React 19.0.7 is a patch release of the React library for building user interfaces.
React 19.1.8 Patch Release
React 19.1.8 is a patch release of the React library for building user interfaces.
guzzlehttp/guzzle 7.11.0 released
Version 7.11.0 of guzzlehttp/guzzle has been released.
django 6.0.6 released
Django 6.0.6 is a new release of the high-level Python web framework.
dotnet/aspire v13.4.1 patch fixes four bugs
Patch release v13.4.1 fixes four bugs: explicit-start resource lifecycle callbacks triggered too early; Redis persistent container
dotnet/aspire 13.4.2 fixes Redis TLS deadlock in persistent containers
Patch release 13.4.2 fixes a deadlock in Redis persistent containers when using TLS, caused by using public host ports instead of
PHPUnit 13.1.14 Patch Release
Release of PHPUnit version 13.1.14, a patch update in the 13.1.x series.
Laravel Framework v12.61.1 Released
Release of version 12.61.1 of the laravel/framework package on Packagist.
PHPUnit 13.2.0 Released
PHPUnit version 13.2.0 has been released.
.NET Blog: Microsoft Build 2026 .NET Sessions Recap
Microsoft Build 2026 included .NET sessions on .NET 11, union types in C#, AI building blocks, the agentic web, .NET MAUI, and mor
dotnet/aspire v13.4.3: persistent container endpoint allocation regression fix
Patch release fixing persistent container endpoint allocation regression: persistent containers now default to proxied endpoint be
Laravel 13.14: JsonSchema::fromArray() and Queue/Job Fixes
Laravel 13.14 adds JsonSchema::fromArray() for converting JSON Schema arrays back into Type objects, queue inheritance fixes, job
laravel/framework v12.62.0 released
Version 12.62.0 of the laravel/framework package has been released.
Nerdbank.MessagePack deserializers vulnerable to memory amplification via collection preallocation
Nerdbank.MessagePack deserializers for collection-shaped types allocate storage based on attacker-controlled element counts from M
Nerdbank.MessagePack: Denial of Service via ExpandoObject Converter
A security advisory was published for Nerdbank.
docling: Fixed XXE, decompression bomb, and unbounded archive extraction in METS-GBS backend
Fixed XXE, decompression bomb, and unbounded archive extraction vulnerabilities in METS-GBS backend.
docling LaTeX Backend Path Traversal Vulnerability Fixed in 2.91.0
The LaTeX backend's handling of \includegraphics, \input, and \include commands lacked path containment validation, allowing path
aiohttp: Cookies sent on cross-origin redirects when using cookies parameter
Cookies set with the `cookies` parameter on requests are sent after following a cross-origin redirect, potentially leaking sensiti
starlette: HTTP Host header validation added for request.url
HTTP Host header is now validated against RFC 9112 §3.
WebOb 1.8.10 fixes Location header normalization bypass
WebOb 1.8.10 fixes a security bypass in Location header normalization where ASCII tab, carriage return, and newline characters cou
strawberry-graphql QueryDepthLimiter DoS via circular fragment spreads
The QueryDepthLimiter extension lacks cycle detection in fragment spreads.
strawberry-graphql MaxAliasesLimiter bypass via FragmentSpreadNode
The MaxAliasesLimiter extension does not count aliases expanded from FragmentSpreadNode, letting attackers bypass alias limits and
kas: Repository replacement vulnerability via tag-based references
A security vulnerability in kas allows an attacker to replace a repository with a malicious one under specific conditions, potenti
AVideo YouTubeAPI Plugin Reflected XSS via search Parameter
Reflected XSS vulnerability in YouTubeAPI plugin: unsanitized $_GET['search'] concatenated into href attributes in plugin/YouTubeA
AVideo YouTubeAPI Plugin Stored XSS via snippet.title
Stored XSS vulnerability in AVideo YouTubeAPI plugin: `snippet.
Shopware Platform: Privilege Escalation via Sync API Bypass
A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admi
Shopware Platform: user_recovery hash exposed via Admin API
The `user_recovery` entity exposes its `hash` field through the Admin API search endpoint (`POST /api/search/user-recovery`), allo
shopware/platform: Non-admin users can escalate to admin via UserController::upsertUser()
UserController::upsertUser() writes user data in SYSTEM_SCOPE and does not filter the admin field, allowing non-admin API users wi
shopware/platform OAuth user repository timing attack vulnerability
A timing attack vulnerability in the OAuth user repository allows enumeration of administrator usernames.
shopware/core: Open redirect via Referer header in SSO endpoint
The public SSO entry point at GET /api/oauth/sso/auth uses the Referer header as a fallback redirect destination when the expected
shopware/platform: Missing ACL checks on order state transition endpoints
Order state transition endpoints in the Admin API are missing ACL privilege checks, allowing low-privileged users to change order
shopware/platform: Missing authorization in /store-api/handle-payment
The Store API endpoint `/store-api/handle-payment` lacks object-level authorization, allowing a low-privileged user to trigger pay
shopware/core: SVG uploads allow stored XSS
SVG files are allowed in the media manager upload whitelist but are not sanitized, enabling stored XSS via malicious SVG content.
shopware/core: Missing IP validation in /api/_action/media/external-link endpoint
The `/api/_action/media/external-link` endpoint in Shopware's core allows authenticated admin users to make server-side HTTP HEAD
nocodb: Shared-view relation endpoints now enforce column visibility check
Public shared-view relation endpoints (`publicMmList`, `publicHmList`, `relDataList`) now verify that the requested column's `show
NocoDB: Reflected XSS in password-reset page via unescaped URL token
The password-reset page in NocoDB had a reflected XSS vulnerability where the URL token was embedded directly into a JavaScript st
NocoDB hashRedirect plugin rejects protocol-relative URLs to fix open redirect
The client-side hashRedirect plugin now rejects protocol-relative URLs (starting with //) to prevent open redirect attacks.
NocoDB: Public shared-view endpoints no longer expose hidden column values
Public shared-view endpoints no longer expose hidden column values.
NocoDB: Timing-safe password verification for shared views
The shared-view password check in View.
NocoDB: Fixed timing-based email enumeration in sign-in endpoint
The unknown-user branch in auth.
nocodb: testConnection endpoint now scopes integration access to workspace
The `testConnection` endpoint previously fetched integrations in a bypass scope and only checked that the integration was non-priv
nocodb: SSRF protection via validateDbConnectionHost helper
Added a `validateDbConnectionHost` helper that resolves hostnames, parses addresses with ipaddr.
NocoDB SQL Injection via Column Title in Bulk GroupBy Endpoint
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a
NocoDB OAuth PKCE race condition fix
Fixed a race condition in OAuth token exchange where two concurrent requests using the same authorization code could each mint a d
nocodb MCP readAttachment tool now enforces file ownership check
The MCP `readAttachment` tool now verifies file ownership by looking up the path in `nc_file_references` and checking that the `ba
NocoDB OAuth tokens no longer persist after password change
OAuth access and refresh tokens are now revoked when a user changes, resets, or recovers their password.
Shopper Framework: Missing Authorization on Sub-form Livewire Components
Sub-form Livewire components (Edit, Inventory, Seo, Shipping, Files) in the product editor had no authorization on their store() m
Shopper Framework: Missing permission checks on admin table actions (fixed in v2.8.0)
Admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions without permission checks.
Bugsink Fixes Authorization Bypass in Event Lookup
Issue event pages now require the event identifier to belong to the issue in the URL.
Bugsink: Fixed authorization bypass in bulk issue actions
Fixed a project-boundary authorization issue where bulk actions on the issue list could modify issues in other projects.
Bugsink 2.2.0 fixes cross-project sourcemap lookup by debug ID
Before 2.2.0, sourcemap and debug file resolution by debug ID was not scoped to the project that owned the metadata. An authentica
Bugsink DoS via excessive custom tags
Bugsink versions before 2.2.2 are vulnerable to a denial of service via excessive custom tags in an event, causing delayed ingesti
twig/twig: XSS fix in HtmlDumper escapes template and profile names
Twig\Profiler\Dumper\HtmlDumper now escapes template and profile names with htmlspecialchars() before outputting them in HTML.
GeoNode SSRF Vulnerability in Service Registration Endpoint
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability
Authlib OAuth 2.0 Authorization Endpoint Open Redirect Vulnerability
Authlib's OAuth 2.0 authorization endpoint can be turned into an unauthenticated open redirect when a request uses an unsupported
Actual macOS 25.x (Electron 39.2.7) ELECTRON_RUN_AS_NODE enabled allows arbitrary code execution
A vulnerability in Actual macOS application version 25.
Poweradmin v4.4.0 CSV Injection and Path Disclosure in Log Export
CSV Injection (Formula Injection) vulnerability in log export: user-controlled username field written to CSV without sanitizing fo
dulwich: sanitize commit subjects in format_patch to prevent path traversal
dulwich.porcelain.format_patch and dulwich format-patch CLI now sanitize commit subjects. get_summary only replaced spaces with da
fuxa-server: SQL injection in TDengine DAQ storage connector
The TDengine DAQ storage connector's escapeTdString function doubles single quotes but does not escape backslashes, allowing SQL i
fuxa-server: Scheduler API missing admin permission checks fixed in 1.3.2
The Scheduler API did not enforce administrator permissions, allowing non-admin users to create or modify scheduled actions that e
dulwich: Memory exhaustion via crafted thin pack (CVE-2024-? )
A memory exhaustion vulnerability (CWE-400/CWE-789) in add_thin_pack / apply_delta allows a push client to cause denial of service
Rust 1.96.0 release: new Range* types, assert_matches!, WebAssembly breaking change, Cargo security fixes
Rust 1.96.0 introduces new Range* types, assert_matches! macros, and changes WebAssembly target behavior (no longer passes --allow
dotnet/aspire v13.4.0: TypeScript AppHost GA, aspire ps breaking change, Foundry API update
TypeScript AppHost is now GA; experimental markers removed.
docling v2.74.0 fixes XXE vulnerability in USPTO patent XML parsers
USPTO patent XML parsers (ICE v4.
docling HTML backend security fixes for file access, SSRF, and redirect vulnerabilities
Security fixes in docling HTML backend: patched multiple vulnerabilities including local file access via file:// URIs, path traver
docling-core: Local file access and memory exhaustion via image references (CVE-2025-XXXX)
docling-core versions >=2.5.0, <2.74.1 allowed local file:// image references and accepted inline data: content without a decoded-
docling-core: SSRF via unsafe Content-Disposition resolution (>=1.5.0, <2.74.1)
docling-core versions >=1.5.0, <2.74.1 did not sufficiently restrict remote request destinations and could resolve a server-provid
Jupyter Enterprise Gateway: Prohibited UID/GID Bypass via Whitespace
A security advisory was published.
Jupyter Enterprise Gateway YAML Injection via Untrusted Environment Variables
Jupyter Enterprise Gateway is vulnerable to YAML injection via untrusted environment variables (e.
Froxlor API Authentication Bypasses Two-Factor Authentication
FroxlorRPC::validateAuth does not enforce Two-Factor Authentication.
wwbn/avideo: Stored XSS via WebSocket message json key bypass
Stored XSS vulnerability in AVideo's WebSocket messaging system: MessageSQLite.
AVideo YPTSocket Plugin Unauthenticated Stored DOM XSS via page_title
Unauthenticated stored DOM XSS via `page_title` broadcast in AVideo YPTSocket plugin.
stata-mcp: Command injection via log_file_name parameter
The `log_file_name` parameter in `stata_do` API and CLI is directly interpolated into a Stata command string without sanitization,
NocoDB Stored XSS in Row Comments via Unsanitized HTML and Tippy allowHTML
Stored XSS vulnerability in row comments: HTML stored without server-side sanitization, and Tippy tooltip with allowHTML: true exe
NocoDB Shared Form XSS via redirect_url
The shared form-view submit handler writes the form's `redirect_url` to `window.
DbGate JSON script runner endpoint vulnerable to remote code execution
The POST /runners/start endpoint in DbGate's JSON script runner allows remote code execution via code injection in the functionNam
praisonai-platform: Agent CRUD endpoints lack workspace scoping (Red)
Agent CRUD endpoints (GET/PATCH/DELETE /workspaces/{workspace_id}/agents/{agent_id}) do not enforce workspace scoping on agent loo
@sync-in/server: SSRF bypass via IPv4-mapped IPv6 addresses in URL download
The private IP blocklist regex in the URL download feature does not match IPv4-mapped IPv6 addresses (e.
DbGate API: Arbitrary Code Execution via Unsanitized functionName in POST /runners/load-reader
The POST /runners/load-reader endpoint directly interpolates the functionName parameter into a JavaScript code template without sa
AIT-Core BSC Unauthenticated Path Traversal and Arbitrary File Append
The Binary Stream Capture (BSC) component in AIT-Core before 3.
TinyMCE XSS vulnerability via SVG namespace bypass in 6.8.x-7.0.x
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing crafted
TinyMCE 6.8.x-7.0.x XSS via SVG namespace handling
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing arbitrar
TinyMCE Stored XSS via Unsanitized data-mce-* Attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via data-mce-* attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via data-mce-* Attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments bypasses sanitization and injects scripts on content restore.
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments allows attackers to bypass sanitization and inject scripts when content
TinyMCE media plugin stored XSS via data-mce-* attributes
Stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
TinyMCE Media Plugin Stored XSS Vulnerability
Stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
TinyMCE Media Plugin Stored XSS Vulnerability
A stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
shopper/framework: Three security defects in admin Livewire components
Three security defects in admin Livewire components: IDOR via unlocked properties, sensitive data disclosure through Hidden passwo
shopper/framework: Authorization bypass in team settings (fixed in v2.8.0)
Two authorization defects in team settings allowed any authenticated panel user to take over the RBAC system: Settings/Team/Index
Twig Sandbox Bypass via SourcePolicyInterface for sort/filter/map/reduce
Twig's sandbox restriction for callback-accepting filters (sort, filter, map, reduce) is not always applied when using a SourcePol
Twig Sandbox Bypass via __toString() Calls
The sandbox security mechanism was bypassed because SandboxNodeVisitor only wrapped a hardcoded list of AST nodes in CheckToString
FUXA Server Missing Authorization in Socket.IO Handlers Leading to SSRF
Two Socket.IO event handlers (DEVICE_PROPERTY and DEVICE_WEBAPI_REQUEST) in server/runtime/index.js lack authorization checks, all