This archive includes all published incident pages. Page 6 of 16.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
Incident date: February 24, 2026 | Published: February 25, 2026
Impact This is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary OneUptime lets project members write custom JavaScript that runs inside monitors. The problem is it executes that code using Node.js's built-in vm module, which Node.
Incident date: February 24, 2026 | Published: February 25, 2026
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks.
Incident date: February 24, 2026 | Published: February 25, 2026
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal.
Incident date: February 24, 2026 | Published: February 25, 2026
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately...
Incident date: February 23, 2026 | Published: February 25, 2026
Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request.
Incident date: February 23, 2026 | Published: February 25, 2026
A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the html column type.
Incident date: February 23, 2026 | Published: February 25, 2026
Summary When yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL.
Incident date: February 23, 2026 | Published: February 25, 2026
Report of SQL Injection Vulnerability in Ormar ORM ## A SQL Injection attack can be achieved by passing a crafted string to the min() or max() aggregate functions.