symfony/ux-icons: XSS via unsanitized SVG content in local files and Iconify on-demand responses

OpenBao: Transit secrets engine crashes on key creation with `derived: true` for asymmetric key types

OpenBao: LDAPi ldaputil (wrong escape func)

Outerbase Studio: Stored XSS in Text Widget Leads to Authentication Token Exposure

Langflow: Logout button does not clear session

py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()

py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size

Mailpit: Incomplete SSRF protection in Link Check API via IPv6 transition mechanisms

Open Redirect Bypass in miniflux-v2

Traefik Kubernetes Ingress NGINX provider fails open when auth-secret resolution fails

Allure Report: Stored XSS via unescaped ANSI helper in status message/trace rendering

Allure Report: Path Traversal in HTTP Server Allows Arbitrary File Read

dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens

go.qbee.io/transport: Symlink-chain path traversal in tar extraction (one level outside destination)

Craft Commerce: Coupon Code Brute-Force via Rate Limit Bypass

UltraJSON: Malformed/Truncated UTF-8 Accepted and Silently Rewritten in ujson.dumps()

CoreWCF: SAML token replay protection is inoperative

CoreWCF: UnixDomainSocket Non-Reentrant POSIX Identity Resolution

CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance

CoreWCF: Unix Domain Socket PosixIdentity transport accepts connections that skip the security upgrade