This archive includes all published incident pages. Page 4 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: March 5, 2026 | Published: March 5, 2026
Gogs: Release tag option injection in release deletion Summary There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git...
Incident date: March 5, 2026 | Published: March 5, 2026
Gogs: Cross-repository LFS object overwrite via missing content hash verification Summary Overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by...
Incident date: March 4, 2026 | Published: March 4, 2026
SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) Summary SVGO accepts XML with custom entities, without guards against entity expansion or recursion.
Incident date: March 4, 2026 | Published: March 4, 2026
Fickling missing RCE-capable modules in UNSAFE IMPORTS Assessment The modules uuid, osx support and aix support were added to the blocklist of unsafe imports (https://github.
Incident date: March 4, 2026 | Published: March 4, 2026
Fickling has always check safety() bypass: pickle.loads and pickle.loads remain unhooked Assessment The missing pickle entrypoints pickle.loads, pickle.loads, and pickle.load were added to the hook https://github.
Incident date: March 4, 2026 | Published: March 4, 2026
jackson-core has Nesting Depth Constraint Bypass in UTF8DataInputJsonParser potentially allowing Resource Exhaustion Summary The UTF8DataInputJsonParser, which is used when parsing from a java.io.
Incident date: March 4, 2026 | Published: March 4, 2026
Authlib: Setting alg: none and a blank signature appears to bypass signature verification Summary After upgrading the library from 1.5.2 to 1.6.0 (and the latest 1.6.
Incident date: March 4, 2026 | Published: March 4, 2026
Craft CMS has unauthenticated activation email trigger with potential user enumeration The actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users.
Incident date: March 4, 2026 | Published: March 4, 2026
time calibrator was removed from crates.io due to malicious code It was reported time calibrator contained malicious code, that would try to upload .env files to a server.
Incident date: March 4, 2026 | Published: March 4, 2026
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links Impact An attacker can manipulate the HTTP Host header on a password reset or account creation request.