Briefs

Cisco Talos disclosed multiple vulnerabilities in Canva Affinity, TP-Link Archer AX53, and HikVision Ultra Face Recognition Terminal products which could lead to sensitive information disclosure, arbitrary code execution, or credentials leak if exploited.

OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.

The BadAML injection attack allows arbitrary code execution in confidential VMs by exploiting the ACPI interface, enabling attackers with host control to execute malicious AML code within the guest.

CVE-2026-4926 describes a denial-of-service vulnerability due to an inefficient regular expression complexity issue when handling multiple sequential optional groups, leading to exponential growth and resource exhaustion.

A stack-based buffer overflow vulnerability exists in EVerest EV charging software stack versions prior to 2026.02.0. Passing an interface name longer than 16 characters to CAN open routines overflows `ifreq.ifr_name`, potentially leading to code execution.

EVerest, an EV charging software stack, has an out-of-bounds access vulnerability in versions prior to 2026.02.0, which can lead to remote crash or memory corruption when the CSMS sends UpdateAllowedEnergyTransferModes over the network.

Kestra versions up to 1.3.3 are vulnerable to a cross-site scripting (XSS) vulnerability (CVE-2026-33664) allowing arbitrary JavaScript execution by viewing crafted flow metadata.

An out-of-bounds read and write vulnerability in LIBPNG's ARM/AArch64 Neon-optimized palette expansion path (CVE-2026-33636) allows attackers to potentially achieve denial-of-service or arbitrary code execution by crafting malicious PNG images.

A stack-based buffer overflow vulnerability exists in Tenda AC5 version 15.03.06.47, allowing remote attackers to execute arbitrary code by manipulating the `PPPOEPassword` argument in the `formQuickIndex` function of the `/goform/QuickIndex` component.

A stack-based buffer overflow vulnerability in Zen C compiler versions before 0.4.4 allows attackers to crash the compiler or potentially execute arbitrary code via a crafted `.zc` source file with overly long identifiers.

CVE-2025-12805 describes a flaw in Red Hat OpenShift AI (RHOAI) llama-stack-operator that allows unauthorized access to Llama Stack services in other namespaces via direct network requests due to missing NetworkPolicy restrictions, potentially enabling attackers to view or manipulate sensitive data.

Multiple critical vulnerabilities in n8n, including prototype pollution, code injection, and SQL injection, allow authenticated users to achieve remote code execution, read sensitive files, and perform unauthorized database operations.

Doveadm credentials are verified using direct comparison, making it susceptible to timing oracle attacks, allowing attackers to determine credentials and gain full access.

CVE-2025-59032 describes a vulnerability in ManageSieve's AUTHENTICATE command, where using a literal as a SASL initial response can crash the ManageSieve service, leading to a denial-of-service condition.

CVE-2026-22744 is a code injection vulnerability in Spring AI's RedisFilterExpressionConverter which allows an attacker to inject arbitrary commands into RediSearch TAG blocks via unescaped user-controlled strings, affecting versions 1.0.0 before 1.0.5 and 1.1.0 before 1.1.4.

Spring AI's spring-ai-bedrock-converse library is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied media URLs in multimodal messages, allowing attackers to trigger HTTP requests to internal or external destinations.

A SpEL injection vulnerability exists in Spring AI's SimpleVectorStore when a user-supplied value is used as a filter expression key, potentially allowing malicious actors to execute arbitrary code in vulnerable applications.

A SQL injection vulnerability (CVE-2026-4910) exists in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44 via the /RemoteFormat.do endpoint, allowing remote attackers to execute arbitrary SQL commands by manipulating the State argument.

The cpp-httplib library prior to version 0.39.0 forwards stored authentication credentials to arbitrary hosts via HTTP redirects, potentially exposing sensitive information to malicious actors.

A stack-based buffer overflow vulnerability (CVE-2026-4905) exists in Tenda AC5 firmware version 15.03.06.47 allowing remote attackers to execute arbitrary code by manipulating the 'index' argument in a POST request to the /goform/WifiWpsOOB endpoint.

vLLM versions before 0.18.0 are vulnerable to remote code execution due to hardcoded trust of remote code, even when explicitly disabled by the user, allowing attackers to execute arbitrary code via malicious model repositories.

A vulnerability in Incus versions prior to 6.23.0 allows for arbitrary read and write access as root on the host server by exploiting a missing chroot isolation in the pongo2 template engine.

The c2cciutils package is vulnerable to denial of service due to an uncontrolled recursion vulnerability (CWE-674) in the pyasn dependency, specifically versions before 1.1.65.

A path traversal vulnerability exists in Sharp CMS versions prior to 9.20.0 due to improper sanitization of file extensions, potentially allowing attackers to bypass security restrictions and access sensitive files.

Forge is vulnerable to signature forgery in Ed25519 due to a missing check that S < L, allowing non-canonical signatures and potentially bypassing authentication/authorization logic, affecting versions before 1.4.0.

Node-forge's certificate chain verification fails to enforce RFC 5280 basicConstraints, allowing leaf certificates without basicConstraints and keyUsage extensions to act as Certificate Authorities, leading to potential certificate forgery and man-in-the-middle attacks.

A vulnerability in the openclaw npm package before version 2026.3.22 allowed mutating internal ACP chat commands without requiring operator.admin scope enforcement, potentially allowing unauthorized control-plane actions.

CVE-2023-7338 is a remote code execution vulnerability affecting Ruckus Unleashed when gateway mode is enabled, allowing authenticated remote attackers to execute arbitrary code by sending specially crafted requests through the web-based management interface.

Ory Polis versions prior to 26.2.0 are vulnerable to DOM-based XSS due to improper handling of the `callbackUrl` parameter, allowing attackers to execute arbitrary JavaScript in a user's browser.

The openclaw npm package before version 2026.3.22 allows unauthorized pre-authentication computation due to improper handling of inbound Nostr DMs, where crypto and dispatch work are performed before enforcing sender and pairing policies.