Security Vulnerabilities
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-02-03
A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Score
6.3
EPSS Score
0.001
Published
2026-02-03
Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS Score
8.8
EPSS Score
0.0
Published
2026-02-03
Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVSS Score
8.8
EPSS Score
0.001
Published
2026-02-03
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668.
CVSS Score
7.2
EPSS Score
0.0
Published
2026-02-03
Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665.
CVSS Score
4.7
EPSS Score
0.0
Published
2026-02-03
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-03
Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material.
CVSS Score
5.9
EPSS Score
0.0
Published
2026-02-03
Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
CVSS Score
5.9
EPSS Score
0.0
Published
2026-02-03