This archive includes all published incident pages. Page 2 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: March 6, 2026 | Published: March 7, 2026
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Summary A critical Remote Code Execution (RCE) vulnerability exists in the application's database query functionality.
Incident date: March 6, 2026 | Published: March 6, 2026
Zarf's symlink targets in archives are not validated against destination directory Summary A path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination...
Incident date: March 6, 2026 | Published: March 6, 2026
Mercurius's queryDepth limit bypassed for WebSocket subscriptions Description Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections.
Incident date: March 6, 2026 | Published: March 6, 2026
parse-server's endpoint /loginAs allows readOnlyMasterKey to gain full read and write access as any user Impact The readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user.
Incident date: March 6, 2026 | Published: March 6, 2026
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution Summary A security vulnerability has been identified in GitHub Copilot CLI's shell tool that could allow arbitrary code execution through crafted bash...
Incident date: March 5, 2026 | Published: March 5, 2026
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Impact Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching...
Incident date: March 5, 2026 | Published: March 5, 2026
Gogs: Release tag option injection in release deletion Summary There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git...
Incident date: March 5, 2026 | Published: March 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by...
Incident date: March 4, 2026 | Published: March 4, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) Summary SVGO accepts XML with custom entities, without guards against entity expansion or recursion.
Incident date: March 4, 2026 | Published: March 4, 2026
Fickling missing RCE-capable modules in UNSAFE IMPORTS Assessment The modules uuid, osx support and aix support were added to the blocklist of unsafe imports (https://github.