These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9267 is an out-of-bounds read vulnerability in the check_server_certificate() function of Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221. This vulnerability allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. The vulnerability is caused by missing buffer length [truncated]
CVE-2026-4983 is a stored cross-site scripting (XSS) vulnerability in the Open VSX Registry. The vulnerability arises from the lack of sanitization of SVG files uploaded as extension icons before they are stored. These SVG files are served with a Content-Type of image/svg+xml and without security headers such as Content-Security-Policy or Content-Disposition: attachment. An attacker can exploit this by pu [truncated]
CVE-2026-46580 is a HIGH-severity vulnerability in Eclipse Theia, a cloud-native, multi-protocol IDE framework. In versions prior to 1.71.0, Theia automatically loaded files matching the pattern `.prompts/*.prompttemplate` in a workspace, allowing an attacker to craft malicious repository containing prompt template files. When a workspace was opened in Theia, these files could replace the AI's system inst [truncated]
Eclipse Theia versions prior to 1.71.0 contain a vulnerability (CVE-2026-22551) that allows attackers to exfiltrate sensitive information via AI chat rendered Markdown image tags. The vulnerability has a CVSS score of 6.7 and is classified as MEDIUM severity. An attacker could induce the AI agent to construct image URLs encoding sensitive information from the workspace or conversation context, sending it [truncated]
CVE-2026-9158 is a medium-severity vulnerability in Eclipse 4diac FORTE versions 3.0.0 to 3.1.0. A specially crafted DELETE connection command to the management interface can lead to a dangling pointer, allowing subsequent commands to access freed memory (use-after-free). This issue was published on June 18, 2026, and has a CVSS score of 5.2. Users of affected versions should take immediate action to miti [truncated]
CVE-2026-2587 describes a critical server-side Expression Language (EL) injection issue in a Glassfish-related gadget handling path. The supplied description indicates that untrusted values from .xml input are evaluated without proper sanitization or escaping, and a test payload such as #{7*7} returns 49, confirming server-side expression evaluation. The reported impact is severe: remote attackers may be [truncated]
CVE-2026-2586 is a critical authenticated remote code execution issue in GlassFish’s Administration Console. The supplied record says a user with access to the panel can send crafted requests that lead to arbitrary operating system command execution under the privileges of the application service user. Because exploitation requires high privileges but no user interaction, and the impact spans confidential [truncated]
CVE-2026-6918 is a high-severity vulnerability in Eclipse Open9J versions 0.21 to 0.58. A pre-authentication remote attacker can crash JITServer by sending a 32-byte crafted TCP message. This issue has been publicly disclosed and has a CVSS score of 8.7. The vulnerability affects Eclipse Open9J versions between 0.21.0 and 0.59.0. Users of affected versions should apply patches or mitigations provided by t [truncated]