This page collects WhisperX intelligence signals tagged #software vulnerability. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability, tracked as CVE-2026-25645, has been disclosed in the ubiquitous Python `requests` library. The flaw resides in a utility function that handles zip file extraction, creating a predictable path for attackers to exploit. This vulnerability allows a local attacker with write access to the...
A critical security vulnerability has been disclosed in the ubiquitous Python `requests` library, a foundational component for web communication in millions of applications. The flaw, tracked as CVE-2026-25645, resides in a utility function and creates a direct path for a local attacker to compromise system integrity. ...
The libpng project has released version 1.6.56, a security update addressing two high-severity vulnerabilities. The most significant fix is for CVE-2026-33416, a use-after-free flaw that has been embedded in the library's transparency and palette handling code since the 1990s. This was not an unknown oversight; the pro...
A critical security flaw has been identified in the widely used Pebble Java templating engine, version 3.2.0. The vulnerability, rated with a severity score of 6.8 (Medium), is confirmed as reachable within the application's codebase, posing a direct risk of exploitation. This is not a theoretical threat; the vulnerabl...
A critical security update for the widely-used JavaScript module bundler Webpack patches a DOM Clobbering vulnerability that can lead to cross-site scripting (XSS) attacks. The flaw, tracked as CVE-2024-43788, resides in Webpack's `AutoPublicPathRuntimeModule`. This module is a core component for determining the public...
A security advisory on GitHub highlights a potential denial-of-service (DoS) vector within a PHP data handling mechanism. The core issue is that all data processed through the `php://temp` stream is loaded into memory, with the system only defaulting to disk storage after exceeding 2 MB. This design means a very large ...
A critical security vulnerability has been disclosed in the widely-used Python `requests` library, tracked as CVE-2026-25645. The flaw resides in the `requests.utils.extract_zipped_paths()` utility function, which uses a predictable filename when extracting files from zip archives into the system's temporary directory....
A critical security vulnerability in the widely-used Handlebars.js templating engine has been patched, exposing countless web applications to potential prototype pollution attacks. The flaw, tracked as CVE-2026-33916, resides in the `resolvePartial()` function within the Handlebars runtime. This function performs a pla...
EKG Gadu 1.9~pre+r2855-3+b1 버전에 존재하는 로컬 버퍼 오버플로우 취약점(CVE-2016-20047)이 공개되었다. 이 취약점은 사용자 이름 매개변수 처리 과정에서 발생하며, CVSS 4.0 기준 8.6의 높은 위험 등급을 받았다. 공격 벡터는 로컬이며, 공격 복잡도는 낮고 필요한 권한은 없다는 점에서 시스템에 대한 물리적 접근이 가능한 공격자에게 위험한 진입로를 제공한다. 해당 취약점은 특정 버전의 EKG Gadu 소프트웨어에만 영향을 미친다. 공식 CVSS 평가에 따르면, 이 취약점은 취약한 시스템의 기밀성, 무결성, 가용성 모두에 대해 높...
A critical security vulnerability in the Angular framework has been patched, forcing a major version jump from v16 to v19 for dependent projects. The flaw, tracked as CVE-2026-22610 (GHSA-jrmj-c5cx-3cw6), is a cross-site scripting (XSS) vulnerability that stems from the framework's failure to properly sanitize SVG scri...
A critical security flaw in the popular React Native framework has been patched, exposing countless mobile applications to potential denial-of-service attacks. The vulnerability, a regular expression denial of-service (ReDoS) within the `validateBaseUrl` function, could cause apps to consume excessive resources, become...
A critical security flaw, identified as prototype pollution, has been patched in the widely used `ini` npm package, a fundamental library for parsing INI configuration files across the Node.js ecosystem. The vulnerability, tracked as GHSA-qqgx-2p2h-9c37, existed in all versions prior to 1.3.6. If exploited, an attacker...
A critical security vulnerability in the widely-used Nodemailer library exposes applications to email misrouting. The flaw, tracked as CVE-2025-13033, stems from the library's incorrect handling of quoted local-parts containing the '@' symbol within email addresses. This parsing error can cause emails to be delivered t...
Go 语言 1.26 版本的标准库中发现了三个新漏洞,可能允许攻击者绕过安全边界或导致网络请求解析错误。这些漏洞被标记为 GO-2026-4600、GO-2026-4601 和 GO-2026-4602,均已在 Go 1.26.1 版本中修复。安全扫描工具 `govulncheck` 的检测结果显示,这些漏洞存在于核心的 `os` 和 `net/url` 包中,影响广泛使用这些标准库功能的应用程序。 具体而言,漏洞 GO-2026-4602 涉及 `os` 包,可能导致 `FileInfo` 对象从 `Root` 中逃逸,破坏文件系统的访问控制隔离。代码追踪显示,通过 `os.ReadDir` 函数调用的路径可能触发此问题。另一个...
A critical security vulnerability in the widely used Flask web framework could allow a client's session cookie to be leaked to other users through misconfigured proxy caches. The flaw, tracked as CVE-2023-30861, is triggered under specific conditions where a proxy caches HTTP responses containing `Set-Cookie` headers. ...
A critical security vulnerability in the widely-used Nodemailer email library allows for arbitrary SMTP command injection. The flaw, tracked as GHSA-c7w3-x93f-qmm8, exists when a custom `envelope` object containing a `size` property is passed to the `sendMail()` function. If the `size` value includes carriage return an...
A critical security vulnerability has been disclosed in the widely-used `yaml` npm package, tracked as CVE-2026-33532. The flaw, a stack overflow, allows an attacker to crash a Node.js application by supplying a maliciously crafted YAML document. The issue resides in the node resolution and composition phase, which use...
A critical security update for the ubiquitous JavaScript utility library Lodash has been issued, exposing millions of projects to severe vulnerabilities. The update to version 4.17.23 patches two high-severity flaws: a Command Injection vulnerability (CVE-2021-23337) and a Prototype Pollution vulnerability (CVE-2020-82...
A critical security vulnerability, CVE-2025-68429, has been disclosed in Storybook, a widely used frontend workshop tool. The flaw, discovered via responsible disclosure on December 11th, is a bug in how Storybook processes environment variables defined in `.env` files. This vulnerability is present in certain built an...
A critical packaging error by Anthropic has exposed the complete, unobfuscated source code for its Claude Code AI agent, stripping away a foundational layer of security for any enterprise using the tool. On March 31, the company accidentally shipped a 59.8 MB source map file within the npm package, laying bare 512,000 ...