Nanshihui

**Name of the Vulnerable Software and Affected Versions** NumPy versions 1.16.0 and earlier **Description** An issue was discovered in NumPy where it uses the pickle Python module unsafely. This allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. The issue is disputed by third parties because it might have legitimate applications in loading serialized Python object arrays from trusted and authenticated sources. **Recommendations** For NumPy versions 1.16.0 and earlier, consider avoiding the use of the pickle Python module or restricting the loading of serialized objects to trusted sources until a fix is available. As a temporary workaround, consider disabling the use of numpy.load for untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** pandao Editor.md version 1.5.0 **Description** The issue is related to DOM XSS, where input starting with a `<<` substring is mishandled during the construction of an `A` element. **Recommendations** For pandao Editor.md version 1.5.0, as a temporary workaround, consider validating and sanitizing user input to prevent the inclusion of substrings starting with `<<` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimpleMDE version 1.11.2 **Description** The issue concerns a mishandling of certain input characters, specifically `[` and `(`, during the construction of an `A` element, and an `onerror` attribute of a crafted `IMG` element. This can lead to XSS. **Recommendations** For SimpleMDE version 1.11.2, consider disabling the handling of `[` and `(` characters in input until a patch is available. Restrict access to the `A` element construction and `IMG` element handling to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.