This archive includes all published incident pages. Page 3 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: March 12, 2026 | Published: March 12, 2026
Overview Two unsafe pickle deserialization vulnerabilities have been discovered in the SGLang open-source project, one within the tool's multimodal generation module and another within the Encoder Parallel Disaggregation system.
Incident date: March 11, 2026 | Published: March 11, 2026
@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection Security Advisory: Insecure Default JWT Secret + WebSocket Auth Bypass Enables Unauthenticated RCE via Shell Injection Download: cve claudecodeui...
Incident date: March 11, 2026 | Published: March 11, 2026
@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters Summary Multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit),...
Incident date: March 10, 2026 | Published: March 11, 2026
@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes Shell Command Injection in User Git Config Endpoint Field Value ------- ------- Severity High CVSS 3.1 8.
Incident date: March 6, 2026 | Published: March 7, 2026
WeKnora Vulnerable to Remote Code Execution via SQL Injection Bypass in AI Database Query Tool Summary A critical Remote Code Execution (RCE) vulnerability exists in the application's database query functionality.
Incident date: March 6, 2026 | Published: March 6, 2026
Zarf's symlink targets in archives are not validated against destination directory Summary A path traversal vulnerability in archive extraction allows a specifically crafted Zarf package to create symlinks pointing outside the destination...
Incident date: March 6, 2026 | Published: March 6, 2026
Mercurius's queryDepth limit bypassed for WebSocket subscriptions Description Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections.
Incident date: March 6, 2026 | Published: March 6, 2026
parse-server's endpoint /loginAs allows readOnlyMasterKey to gain full read and write access as any user Impact The readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user.
Incident date: March 6, 2026 | Published: March 6, 2026
GitHub Copilot CLI Dangerous Shell Expansion Patterns Enable Arbitrary Code Execution Summary A security vulnerability has been identified in GitHub Copilot CLI's shell tool that could allow arbitrary code execution through crafted bash...
Incident date: March 5, 2026 | Published: March 5, 2026
Pingora vulnerable to HTTP Request Smuggling via Premature Upgrade Impact Pingora versions prior to 0.8.0 would immediately forward bytes following a request with an Upgrade header to the backend, without waiting for a 101 Switching...