This archive includes all published incident pages. Page 15 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 12, 2026 | Published: February 25, 2026
Description MagicLink stores serialized action objects in the magic_links.action database column and deserializes them without integrity validation or class allowlisting in [src/MagicLink.php](src/MagicLink.
Incident date: February 12, 2026 | Published: February 25, 2026
Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC This vulnerability exists in the Air Traffic Controller (ATC) component of Yoke, a Kubernetes deployment tool.
Incident date: February 12, 2026 | Published: February 25, 2026
Unauthenticated Admission Webhook Endpoints in Yoke ATC This vulnerability exists in the Air Traffic Controller (ATC) component of Yoke, a Kubernetes deployment tool.
Incident date: February 12, 2026 | Published: February 25, 2026
A vulnerability in CediPay allows attackers to bypass input validation in the transaction API. Affected users: All deployments running versions prior to the patched release.
Incident date: February 12, 2026 | Published: February 25, 2026
Summary The arrayLimit option in qs does not enforce limits for comma-separated values when comma: true is enabled, allowing attackers to cause denial-of-service via memory exhaustion.
Incident date: February 12, 2026 | Published: February 25, 2026
Impact It's possible using comments to inject CSS that would transform the full wiki in a link area leading to a malicious page. All versions of XWiki are impacted by this kind of attack.
Incident date: February 12, 2026 | Published: February 25, 2026
Summary FrankenPHP’s CGI path splitting logic improperly handles Unicode characters during case conversion. The logic computes the split index (for finding .
Incident date: February 12, 2026 | Published: February 25, 2026
Summary An attacker can cause unbounded memory consumption repeatedly creating and closing many WebTransport streams. Closed streams were not removed from an internal session map, preventing garbage collection of their resources.
Incident date: February 12, 2026 | Published: February 25, 2026
Summary An attacker can cause excessive memory consumption in webtransport-go's session implementation by sending a WT_CLOSE_SESSION capsule containing an excessively large Application Error Message.
Incident date: February 12, 2026 | Published: February 25, 2026
Notepad++ Notepad++ - Notepad++ when using the WinGUp updater, contains a download of code without integrity check vulnerability that could allow an attacker to intercept or redirect update traffic to download and execute an...