This archive includes all published incident pages. Page 8 of 18.
Each page is intended to help a security team answer three questions quickly: why the issue is AI-relevant, what part of the workflow may be exposed, and what actions should happen first.
Selection criteria and correction policy are documented in Methodology & Editorial Policy.
Incident date: February 23, 2026 | Published: February 25, 2026
Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request.
Incident date: February 23, 2026 | Published: February 25, 2026
A stored Cross-site Scripting (XSS) vulnerability exists in the editableTable.twig component when using the html column type.
Incident date: February 23, 2026 | Published: February 25, 2026
Summary When yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL.
Incident date: February 23, 2026 | Published: February 25, 2026
Report of SQL Injection Vulnerability in Ormar ORM ## A SQL Injection attack can be achieved by passing a crafted string to the min() or max() aggregate functions.
Incident date: February 23, 2026 | Published: February 25, 2026
Summary A SQL LIKE wildcard injection vulnerability in the /api/token/search endpoint allows authenticated users to cause Denial of Service through resource exhaustion by crafting malicious search patterns.
Incident date: February 20, 2026 | Published: February 25, 2026
Vulnerability The ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to chat.send .
Incident date: February 20, 2026 | Published: February 25, 2026
Vulnerability Type Stored Cross-Site Scripting (XSS) — CWE-79. ## Affected Product/Versions AVideo 18.0. ## Root Cause Summary AVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled.
Incident date: February 20, 2026 | Published: February 25, 2026
Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or...
Incident date: February 19, 2026 | Published: February 20, 2026
OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed sendMediaFeishu to treat attacker-controlled mediaUrl values as local filesystem paths and read them directly.
Incident date: February 19, 2026 | Published: February 25, 2026
An information disclosure vulnerability in OpenClaw's tools.exec.safeBins approval flow allowed a file-existence oracle.