This archive includes all published incident pages. Page 11 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 18, 2026 | Published: February 25, 2026
Command Injection via Unsanitized locate Output in versions() — systeminformation **Package:** systeminformation (npm) **Tested Version:** 5.30.
Incident date: February 18, 2026 | Published: February 25, 2026
Impact A vulnerable node can be forced to shutdown/crash using a specially crafted message. More details to be released later. ### Patches The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary *SQL Injection in IPv6 Address Search functionality via address parameter** A SQL injection vulnerability exists in the ajax_table.php endpoint.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary The unit parameter in Custom OID functionality lacks strip_tags() sanitization while other fields ( name , oid , datatype ) are sanitized.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary **/port-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/port-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary **/device-groups name Stored Cross-Site Scripting** - HTTP POST - Request-URI(s): "/device-groups" - Vulnerable parameter(s): "name" - Attacker must be authenticated with "admin" privileges.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary A command injection vulnerability in the wifiNetworks() function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. ### Details In lib/wifi.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary This is a scanning bypass to scan_pytorch function in picklescan . As we can see in the implementation of [get_magic_number()](https://github.
Incident date: February 18, 2026 | Published: February 25, 2026
Summary openclaw could start the sandbox browser bridge server without authentication. When the sandboxed browser is enabled, openclaw runs a local (loopback) HTTP bridge that exposes browser control endpoints (for example /profiles ,...
Incident date: February 18, 2026 | Published: February 25, 2026
Summary The Feishu extension could fetch attacker-controlled remote URLs in two paths without SSRF protections: - sendMediaFeishu(mediaUrl) - Feishu DocX markdown image URLs (write/append -> image processing) ### Affected versions - = 2026.