[local] Fedora - Local Privilege Escalation
Exploit Title: Fedora Local Privilege Escalation
Aggregator
[webapps] Xibo CMS 4.3.0 - RCE via SSTI
1 month 3 weeks ago
# Exploit Title: Xibo CMS - Authenticated Remote
[webapps] LangChain Core 1.2.4 - SSTI/RCE
1 month 3 weeks ago
# Exploit Title: LangChain Core - SSTI/RCE # Dat
How a Long-Lived API Credential Let an AI Agent Delete Production Data
1 month 3 weeks ago
4 min readWhat began as a routine staging task for a SaaS startup ended in a disaster that would have been unthinkable just months ago: an AI agent operating as a super insider threat and triggering a worst-case production failure. In a detailed X post, Jer Crane, founder of PocketOS, a software platform for the rental car […]
The post How a Long-Lived API Credential Let an AI Agent Delete Production Data appeared first on Aembit.
The post How a Long-Lived API Credential Let an AI Agent Delete Production Data appeared first on Security Boulevard.
Dan Kaplan
CVE-2026-7071 | CodeAstro Online Job Portal 1.0 /users/user-cvs/ file information disclosure (EUVD-2026-25747 / CNNVD-202604-5309)
1 month 3 weeks ago
A vulnerability classified as problematic has been found in CodeAstro Online Job Portal 1.0. Affected by this vulnerability is an unknown functionality of the file /users/user-cvs/. The manipulation leads to file and directory information exposure.
This vulnerability is referenced as CVE-2026-7071. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
vuldb.com
CVE-2026-7070 | code-projects Inventory Management System 1.0 Login Username sql injection (EUVD-2026-25746 / CNNVD-202604-5310)
1 month 3 weeks ago
A vulnerability described as critical has been identified in code-projects Inventory Management System 1.0. Affected is an unknown function of the component Login. Executing a manipulation of the argument Username can lead to sql injection.
The identification of this vulnerability is CVE-2026-7070. The attack may be launched remotely. Furthermore, there is an exploit available.
vuldb.com
CVE-2026-32883 | randombit botan up to 3.10.x X509 Path Validation signature verification (GHSA-9j2j-hqmc-hf5x / Nessus ID 310592)
1 month 3 weeks ago
A vulnerability, which was classified as problematic, has been found in randombit botan up to 3.10.x. Impacted is an unknown function of the component X509 Path Validation Handler. This manipulation causes improper verification of cryptographic signature.
This vulnerability is handled as CVE-2026-32883. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
vuldb.com
CVE-2026-32877 | randombit botan up to 3.10.x out-of-bounds (GHSA-7jj6-4r42-w9h6 / Nessus ID 310592)
1 month 3 weeks ago
A vulnerability described as critical has been identified in randombit botan up to 3.10.x. Impacted is an unknown function. The manipulation results in out-of-bounds read.
This vulnerability is reported as CVE-2026-32877. The attack can be launched remotely. No exploit exists.
Upgrading the affected component is recommended.
vuldb.com
CVE-2026-42371 | uriparser up to 1.0.0 URI numeric truncation error (Nessus ID 310600)
1 month 3 weeks ago
A vulnerability was found in uriparser up to 1.0.0. It has been classified as problematic. Affected by this vulnerability is an unknown functionality of the component URI Handler. The manipulation leads to numeric truncation error.
This vulnerability is uniquely identified as CVE-2026-42371. Local access is required to approach this attack. No exploit exists.
Upgrading the affected component is recommended.
vuldb.com
CVE-2026-7306 | Xuxueli xxl-job up to 3.3.2 OpenAPI Endpoint OpenApiController.java default_token hard-coded key (Issue 3938 / EUVD-2026-26150)
1 month 3 weeks ago
A vulnerability was found in Xuxueli xxl-job up to 3.3.2. It has been declared as critical. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key
.
This vulnerability is referenced as CVE-2026-7306. It is possible to launch the attack remotely. Furthermore, an exploit is available.
vuldb.com
CVE-2026-7314 | eiceblue spire-doc-mcp-server 1.0.0 base.py get_doc_path document_name path traversal (EUVD-2026-26151)
1 month 3 weeks ago
A vulnerability was found in eiceblue spire-doc-mcp-server 1.0.0. It has been rated as critical. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal.
This vulnerability is identified as CVE-2026-7314. The attack can be initiated remotely. Additionally, an exploit exists.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
CVE-2026-7315 | eiceblue spire-pdf-mcp-server 0.1.1 PDF File server.py get_pdf_path filepath path traversal (EUVD-2026-26152)
1 month 3 weeks ago
A vulnerability categorized as critical has been discovered in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal.
This vulnerability is tracked as CVE-2026-7315. The attack can be launched remotely. Moreover, an exploit is present.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
CVE-2026-7316 | eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af code_with_ai aider_mcp.py working_dir/editable_files command injection (EUVD-2026-26153)
1 month 3 weeks ago
A vulnerability identified as critical has been detected in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection.
This vulnerability is listed as CVE-2026-7316. The attack may be initiated remotely. In addition, an exploit is available.
This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
CVE-2026-7317 | Grav CMS up to 1.7.49.5/2.0.0-beta.1 Cache Value FileCache.php FileCache::doGet deserialization (GHSA-gwfr-jfjf-92vv / c66dfeb5f)
1 month 3 weeks ago
A vulnerability labeled as critical has been found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization.
This vulnerability is cataloged as CVE-2026-7317. The attack may be launched remotely. Furthermore, there is an exploit available.
The affected component should be upgraded.
vuldb.com
CVE-2026-7318 | elie mcp-project 0.1.0 research_server.py search_papers topic path traversal (EUVD-2026-26155)
1 month 3 weeks ago
A vulnerability, which was classified as critical, was found in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal.
This vulnerability is known as CVE-2026-7318. Attacking locally is a requirement. Furthermore, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.
vuldb.com
CVE-2026-7319 | elinsky execution-system-mcp 0.1.0 add_action Tool server.py _get_context_file_path context path traversal (EUVD-2026-26156)
1 month 3 weeks ago
A vulnerability has been found in elinsky execution-system-mcp 0.1.0 and classified as critical. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal.
This vulnerability is handled as CVE-2026-7319. The attack can be initiated remotely. Additionally, an exploit exists.
vuldb.com
CVE-2026-42428 | OpenClaw up to 2026.4.7 integrity check (GHSA-3vvq-q2qc-7rmp / EUVD-2026-26130)
1 month 3 weeks ago
A vulnerability was found in OpenClaw up to 2026.4.7. It has been classified as problematic. Impacted is an unknown function. Performing a manipulation results in missing support for integrity check.
This vulnerability is reported as CVE-2026-42428. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is recommended.
vuldb.com
Everest
1 month 3 weeks ago
You must login to view this content
cohenido
FIDO Alliance wants to keep AI agents from going rogue on online payments
1 month 3 weeks ago
AI agents are beginning to shop, log in, and complete tasks with little direct input. That shift is pushing the security industry to rethink how trust works when actions are carried out on a user’s behalf. The FIDO Alliance has announced a set of initiatives to build shared standards for these interactions, covering how AI agents authenticate, follow instructions, and carry out transactions. “AI agents are quickly becoming part of how people get things done … More →
The post FIDO Alliance wants to keep AI agents from going rogue on online payments appeared first on Help Net Security.
Sinisa Markovic
M3RX
1 month 3 weeks ago
You must login to view this content
cohenido