symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses
OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types
OpenBao: LDAPi ldaputil (wrong escape func)
Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure
Langflow: Logout button does not clear session
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms
Open Redirect Bypass in miniflux-v2
Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails
Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering
Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)
Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass
UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()
CoreWCF: SAML token replay protection is inoperative
CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution
CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance
CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade