5.9
CVE-2026-34942 - Wasmtime panics when transcoding misaligned utf-16 strings
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passeβ¦
6.9
CVE-2026-34941 - Wasmtime has a Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check.β¦
6.9
CVE-2026-5971 - FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection
A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated codβ¦
8.7
CVE-2026-39911 - Hashgraph Guardian 3.5.0 Unsandboxed JavaScript Execution RCE
Hashgraph Guardian through version 3.5.0 contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() β¦
6.1
CVE-2026-39315 - Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes Hβ¦
8.5
CVE-2026-5329 - Rapid7 Velociraptor Improper Input Validation in Client Message Handler
Rapid7 Velociraptor versions prior to 0.76.2Β contain an improper input validation vulnerability in the client monitoring message handler on the Velociraptor server (primarily Linux) that allows an authenticated remote attacker to write to arbitrary internal server queues via a crafted monitoring mβ¦
5.4
CVE-2026-35207 - deepinid plugin in dde-control-center is configured to skip TLS certificate verification when downlβ¦
dde-control-center is the control panel of DDE, the Deepin Desktop Environment. plugin-deepinid is a plugin in dde-control-center, which provides the deepinid cloud service. Prior to 6.1.80, plugin-deepinid is configured to skip TLS certificate verification when fetching the user's avatar from openβ¦
1.7
CVE-2026-40072 - web3.py affected by SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling
web3.py allows you to interact with the Ethereum blockchain using Python. From 6.0.0b3 to before 7.15.0 and 8.0.0b2, web3.py implements CCIP Read / OffchainLookup (EIP-3668) by performing HTTP requests to URLs supplied by smart contracts in offchain_lookup_payload["urls"]. The implementation uses tβ¦
5.4
CVE-2026-40071 - pyLoad WebUI JSON permission mismatch lets ADD/DELETE users invoke MODIFY-only actions
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev97, the /json/package_order, /json/link_order, and /json/abort_link WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execuβ¦
8.1
CVE-2026-40070 - bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and iβ¦
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies alβ¦