Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder from versions 3.15.4 to before 3.21.7 and 4.0.0 to before 4.4.7, there is an incomplete fix for GHSA-6m52-m754-pw2g. Source code may still be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the devel

Nuxt is an open-source web development framework for Vue.js. In @nuxt/rspack-builder and @nuxt/webpack-builder versions 3.15.4 to before 3.21.6, and 4.0.0-alpha.1 to before 4.4.6, there is an incomplete fix for GHSA-4gf7-ff8x-hq99. Source code may be stolen during dev when using the webpack / rspack builder if the dev server is bound to a non-loopback address (e.g. nuxt dev --host) and the develop

Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining unauthorized access to camera and microphone permissions.

The Electron preload script in Logseq exposes an API method that allows the renderer process to invoke IPC handlers without proper path validation. An attacker with JavaScript execution in the renderer (e.g. via XSS or a malicious plugin), can read, write, or delete arbitrary files on the user's system. While only version v0.10.15 was tested and confirmed as vulnerable, status of other versions is

Home Assistant is open source home automation software that puts local control and privacy first. Prior to 2026.4.1 for iOS and 2026.4.4 for Android, he Home Assistant Companion apps for Android and iOS expose a JavaScript bridge to the in-app WebView window.externalApp on Android and webkit.messageHandlers.getExternalAuth (alongside revokeExternalAuth and externalBus) on iOS. Two flaws expose the

An Exposed Dangerous Method or Function vulnerability in Synology C2 Identity Edge Server package in DSM before 1.76.0-0307 allows remote attackers to obtain user credentials from the edge server.

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the preview route derives an example name from the URL and calls it with public_send. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.

### Summary The MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:4403`) and exposes a `/execute` endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main `PenpotMcpServer` was partially fixed for a similar binding issue (#8683), but `ReplServer.ts` was missed. ### Details `mcp/packages/server/src/ReplSer

Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affects Symmetric Key Agreement Platform: before 26.03.

Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.

Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26.03.

Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform. This issue affects Symmetric Key Agreement Platform: before 26.03.

### Impact A user with access to add/change a GitRepository record could use the REST API to directly set the `current_head` field on the record, which was not intended to be user-editable. Doing so could cause Nautobot's local clone(s) of the relevant repository to checkout a commit other than the latest commit on the specified `branch` (resulting in misleading state), or potentially to be unabl

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

Memory corruption while processing IOCTL command when device is in power-save state.