TRA-2026-40
Command injection in the Microsoft Foundry Toolkit VS Code extension (formerly
AI Toolkit) where child_process.exec() interpolated an attacker-controlled
Python interpreter path โ sourced from python.defaultInterpreterPath in
workspace settings โ directly into a shell command string. On Linux/macOS,
double-quoting the path enabled POSIX command substitution, allowing arbitrary
code execution when a developer opened a malicious repository. No CVE was
assigned; Microsoft cited automatic extension updates and limited user impact.
Fixed in version 0.32.0.
CVE-2026-45398, CVE-2026-45401
IDOR in Retrieval API (CVE-2026-45398): _validate_collection_access()
only checked user-memory-* and file-* prefixes, leaving
knowledge base UUID collections unguarded โ any authenticated user could read,
corrupt, or destroy another user's private knowledge base.
SSRF via HTTP Redirect Following (CVE-2026-45401): validate_url()
checked only the initial URL but downstream HTTP clients followed 3xx redirects
without re-validation, allowing any authenticated user to reach internal services
via the web-fetch, image-load, and chat-completion endpoints.
Both fixed in Open WebUI 0.9.5.
CVE-2026-40967
SQL injection in Spring AI's vector store implementations, where filter
expression output was concatenated directly into SQL statements without
parameterization. Affected PgVectorStore, OracleVectorStore, and
CouchbaseSearchVectorStore, allowing attackers to bypass tenant isolation,
exfiltrate data, and delete arbitrary records. Fixed in Spring AI 1.0.6
and 1.1.5.
CVE-2019-15240, CVE-2019-15241, CVE-2019-15242, CVE-2019-15243, CVE-2019-15244, CVE-2019-15245, CVE-2019-15246, CVE-2019-15247, CVE-2019-15248, CVE-2019-15249, CVE-2019-15250, CVE-2019-15251, CVE-2019-15252, CVE-2019-15257, CVE-2019-15258, CVE-2019-12702, CVE-2019-12703, CVE-2019-12704, CVE-2019-12708
Discovered 18 vulnerabilities in Cisco SPA100 Series Analog Telephone Adapters (ATAs) including multiple
stack and heap buffer overflows for remote code execution, admin password
hash extraction, plaintext credential leakage, stored and reflected XSS,
and arbitrary file disclosure.
Co-researched with Alex Weber.
CVE-2018-15694, CVE-2018-15695, CVE-2018-15696, CVE-2018-15697, CVE-2018-15698, CVE-2018-15699
Found 6 vulnerabilities in ASUSTOR NAS devices running ADM 3.1.5 and below.
Authenticated file upload leading to remote code execution, arbitrary file
deletion via path traversal, account enumeration, file disclosure for both
user and admin roles, and a man-in-the-middle XSS via update checks.
CVE-2018-1460
Local privilege escalation to root in IBM Netezza Platform Software.
A setuid root binary executed a Perl script from a world-writable directory,
allowing unprivileged users to inject code and gain root access.
CVE-2017-11509
Authenticated RCE in Firebird database server. By declaring external
user-defined functions with incompatible parameter types, an attacker could
overwrite function pointers and achieve SYSTEM-level code execution.