This archive includes all published incident pages. Page 7 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Caddy's HTTP path request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences ( %xx ) it compares against the request's escaped path without lowercasing.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Two swallowed errors in ClientAuthentication.provision() cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary Missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary There is a path traversal vulnerability in Mindsdb's /api/files interface, which an authenticated attacker can exploit to achieve remote command execution.
Incident date: February 24, 2026 | Published: February 25, 2026
Impact This is a stored Cross-Site Scripting (XSS) vulnerability affecting the website and author comment fields. The website field was HTML-escaped using quote=False, which left single and double quotes unescaped.
Incident date: February 24, 2026 | Published: February 25, 2026
Summary OneUptime lets project members write custom JavaScript that runs inside monitors. The problem is it executes that code using Node.js's built-in vm module, which Node.
Incident date: February 24, 2026 | Published: February 25, 2026
Sometimes msl.c fails to update the stack index, so an image is stored in the wrong slot and never freed on error, causing leaks.
Incident date: February 24, 2026 | Published: February 25, 2026
ImageMagick’s path security policy is enforced on the raw filename string before the filesystem resolves it. As a result, a policy rule such as /etc/* can be bypassed by a path traversal.
Incident date: February 24, 2026 | Published: February 25, 2026
When a PCD file does not contain a valid marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately...