Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35431
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper...
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect git or AWS CLI behavior through...
Url redirection to untrusted site (‘open redirect’) in M365 Copilot allows an unauthorized attacker to elevate privileges over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33102
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33819
Server-side request forgery (ssrf) in Microsoft Dynamics 365 (Online) allows an unauthorized attacker to perform spoofing over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32210
Uncontrolled search path element in Microsoft Power Apps allows an unauthorized attacker to execute code over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32172
A request smuggling vulnerability exists in libsoup’s HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each header value without validating for duplicate or conflicting Content-Length fields. This allows an attacker to...
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using...
Server-side request forgery (ssrf) in Microsoft Purview allows an unauthorized attacker to elevate privileges over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26150
Improper access control in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network. More information : https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-24303
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an attacker could systematically enumerate valid records and...
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This results in exposure of...
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can...