CVE Vulnerabilities - 27 March 2026

Incus virtual machine manager versions prior to 6.23.0 can be tricked into writing files outside of a secure area. This allows an attacker to gain root access and perform malicious actions. Upgrade to...

The Datadog Java Agent, if not updated to version 1.60.3 or later, can allow an attacker to take control of a system if they have network access to a specific port and can find a way to exploit it. Th...

If you use OpenTelemetry Java with a remote management port, a malicious person could potentially take control of your server by sending it a specially crafted message. This only happens if you have a...

If you're using MyTube version 1.8.70 or earlier, an attacker can create a special key that lets them take full control of your MyTube setup without needing a password. This is a big deal because it m...

A security issue in Tenda AC5 routers allows an attacker to execute malicious code on the device by sending a specially crafted network request. This could allow an attacker to take control of the rou...

A security flaw in Tenda AC5 routers allows hackers to potentially take control of the device. This could happen if the user visits a malicious website or opens a phishing email. To stay safe, update ...

A security flaw in the Tenda AC5 router allows an attacker to execute malicious code on the device if they send a specially crafted request. This could allow an attacker to take control of the device....

Incus is a system container and virtual machine manager. Prior to version 6.23.0, the web server spawned by `incus webui` incorrectly validates the authentication token such that an invalid value will...

vLLM versions 0.10.1 to 0.17.9 may allow malicious code to run on your system if you've disabled remote code execution. This is a security risk. Update to v0.18.0 or later to fix the issue.

Docker BuildKit's custom frontend can be tricked into saving files in the wrong place, potentially causing data loss. This can happen if you use a custom frontend with Docker. To stay safe, use a know...

BentoML's Dockerfile generation in bentofile.yaml allows a malicious user to execute arbitrary system commands when building a container. This can happen if a user includes a malicious string in the s...

Prior to version 1.8.72, MyTube's login system can be abused by an attacker to lock out all users from logging in for 24 hours. To fix this, update to MyTube version 1.8.72 or later. Regularly updatin...

OpenHands is software for AI-driven development. Starting in version 1.5.0, a Command Injection vulnerability exists in the `get_git_diff()` method at `openhands/runtime/utils/git_handler.py:134`. The...

A security issue affects all versions of Cocos AI from v0.4.0 through v0.8.2. An attacker with access to the server or through certain types of attacks could extract a secret key, allowing them to pre...

The cpp-httplib library stores login credentials and sends them to any website it redirects to. This means a malicious site could steal your login information. Update to version 0.39.0 or later to fix...

Prior to version 1.8.69, a security weakness in MyTube allows attackers to access sensitive configuration data and potentially take control of the application. This weakness is fixed in version 1.8.69...

Authenticated admins on Metabase Enterprise can execute malicious code and read sensitive files if they have access to the import feature. This affects all Enterprise versions with serialization enabl...

A security issue in Open WebUI allows any authenticated user to modify any file on the platform, potentially allowing an attacker to tamper with the artificial intelligence's responses to other users....

An attacker with limited access can change other employees' passwords, including admin passwords. This is fixed in version 3.4.2. Update to the latest version to protect your system.

An attacker can control a remote domain and access services on the target server by sending traffic to 0.0.0.0. This is due to a missing check in the Activitypub-Federation code. To mitigate this, upd...

OpenFGA allows unauthorized access to sensitive data when caching is enabled and certain conditions are met. This could lead to data being exposed that shouldn't be. To fix, update to OpenFGA version ...

Cilium, a networking tool for Kubernetes, may not enforce network policies for traffic between pods and L7 services on the same node. This can happen in certain Cilium deployments, such as Amazon EKS ...

A security issue in Open WebUI allows users with write access to delete files they shouldn't be able to. This is fixed in version 0.8.6. Users should update to this version to prevent unauthorized fil...

MapServer versions 4.2 to 8.6.1 are vulnerable to a crash when processing certain types of Styled Layer Descriptor (SLD) files. This can be exploited by attackers to take down a server. Update to vers...

A malicious PDF file can cause the pypdf library to get stuck in an infinite loop when trying to read it. This could lead to a freeze or crash of your application. Update to the latest version of pypd...