Monthly
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access to recipe books to perform unauthorized write and delete operations. The CustomIsShared permission class incorrectly permits DELETE, PUT, and PATCH methods without validating safe HTTP methods, enabling shared users to overwrite or delete recipe books despite having semantically read-only permissions. This represents a high-severity authorization bypass with CVSS 8.1 (AV:N/AC:L/PR:L) requiring authenticated access but no user interaction. No public exploit identified at time of analysis, though the vulnerability affects a specific permission boundary and could be easily exploited by any user granted shared access.
Remote code execution in CrewAI's CodeInterpreter tool occurs when Docker connectivity fails and the system falls back to SandboxPython, allowing unauthenticated remote attackers to execute arbitrary C functions and achieve code execution. The vulnerability affects systems relying on CrewAI's code execution capabilities where Docker is unavailable or unreachable, creating a dangerous fallback condition that bypasses intended sandboxing protections.
Privilege escalation in Ivanti DSM versions before 2026.1.1 stems from an exposed dangerous method that allows authenticated local users to gain elevated system privileges. An attacker with local access could exploit this vulnerability to obtain high-level permissions, compromising system integrity and confidentiality. No patch is currently available for this issue.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Nbiot Sdk contains a vulnerability that allows attackers to local escalation of privilege with User execution privileges needed (CVSS 7.8).
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Remote code execution in OpenS100 (S-100 viewer reference implementation) prior to commit 753cf29. Malicious S-100 dataset files can trigger code execution when opened. CVSS 9.6.
Improper access control in GitLab CE/EE 16.9.6-18.10.2 enables authenticated attackers to invoke unauthorized server-side methods via websocket connections, achieving high-severity information disclosure with changed scope. Affects continuous integration/deployment platforms running vulnerable GitLab instances. Exploitation requires low-privilege authentication but no user interaction, enabling lateral information access across security boundaries.
Privilege escalation in Tandoor Recipes prior to version 2.6.4 allows authenticated users with read-only shared access to recipe books to perform unauthorized write and delete operations. The CustomIsShared permission class incorrectly permits DELETE, PUT, and PATCH methods without validating safe HTTP methods, enabling shared users to overwrite or delete recipe books despite having semantically read-only permissions. This represents a high-severity authorization bypass with CVSS 8.1 (AV:N/AC:L/PR:L) requiring authenticated access but no user interaction. No public exploit identified at time of analysis, though the vulnerability affects a specific permission boundary and could be easily exploited by any user granted shared access.
Remote code execution in CrewAI's CodeInterpreter tool occurs when Docker connectivity fails and the system falls back to SandboxPython, allowing unauthenticated remote attackers to execute arbitrary C functions and achieve code execution. The vulnerability affects systems relying on CrewAI's code execution capabilities where Docker is unavailable or unreachable, creating a dangerous fallback condition that bypasses intended sandboxing protections.
Privilege escalation in Ivanti DSM versions before 2026.1.1 stems from an exposed dangerous method that allows authenticated local users to gain elevated system privileges. An attacker with local access could exploit this vulnerability to obtain high-level permissions, compromising system integrity and confidentiality. No patch is currently available for this issue.
OneUptime prior to 10.0.21 has a fourth vulnerability in Synthetic monitoring exposing dangerous functionality.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
Security vulnerability in RustDesk remote desktop client/server. One of 6+ critical CVEs affecting the open-source remote access platform.
Nbiot Sdk contains a vulnerability that allows attackers to local escalation of privilege with User execution privileges needed (CVSS 7.8).
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Remote code execution in OpenS100 (S-100 viewer reference implementation) prior to commit 753cf29. Malicious S-100 dataset files can trigger code execution when opened. CVSS 9.6.