Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Deno: WebSocket API sandbox bypass via missing post-DNS check

Deno: `fetch()` API sandbox bypass via missing DNS resolution check

n8n: Merge Node SQL Mode Prototype Pollution

n8n: Prototype Pollution enables confused-deputy execution via public webhooks

n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes

n8n: NoSQL Injection in MongoDB Node Find And Replace Operation

n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes

n8n: Git Node Clone and Push Operations Bypass File Sandbox

Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

PowerStore contains a Stored Cross-Site Scripting Vulnerability in the PowerStore Manager. A remote authenticated low-privileged malicious actor could potentially exploit this vulnerability, it could lead to script execution in the client browser.

Dell Peripheral Manager, versions from 1.5.1 to 1.7.2, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious executable, leading to arbitrary code execution.

Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated the per-interface ICMP-sent statistics by calling net_pkt_iface(pkt) after net_send_data(pkt) had already returned successfully. On the success path the network...

In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to net_try_send_data(), and then, on success, calls net_stats_update_icmp_sent(net_pkt_iface(reply)). net_try_send_data() transfers ownership of reply to the TX pa...

subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data(). In icmpv6_handle_echo_request() and net_icmpv6_send_error(), the post-send statistics update calls net_pkt_iface(reply)/net_pkt_iface(pkt) on the just-sent packet. The send pat...

subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully. Per the network stack's ownership contract (include/zephyr/net/net_core.h, and the explicit warning in subsys/net/ip/net_core.c:453-460 'do not use pkt after...

Dell Peripheral Manager, versions prior to 1.7.3, contain an uncontrolled search path element vulnerability. An attacker could potentially exploit this vulnerability through preloading malicious dll., leading to arbitrary code execution.

Astro: XSS via Unescaped Attribute Names in Spread Props

@astrojs/netlify broadens Astro image.remotePatterns in Netlify Image CDN config