Arjun Shibu

**Name of the Vulnerable Software and Affected Versions** TensorFlow versions prior to 2.6.0 TensorFlow versions 2.5.1 and earlier TensorFlow versions 2.4.3 and earlier TensorFlow versions 2.3.4 and earlier **Description** TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model from YAML format. The implementation uses `yaml.unsafe load` which can perform arbitrary code execution on the input. **Recommendations** For versions prior to 2.6.0, update to TensorFlow 2.6.0 or later. For versions 2.5.1 and earlier, update to TensorFlow 2.5.1 or later. For versions 2.4.3 and earlier, update to TensorFlow 2.4.3 or later. For versions 2.3.4 and earlier, update to TensorFlow 2.3.4 or later. As a temporary workaround, consider disabling YAML format support until a patch is available. Restrict access to the `models.model from yaml` function to minimize the risk of exploitation. Avoid using the `yaml.unsafe load` function in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** apexcharts versions prior to 3.24.0 **Description** The issue is related to a lack of sanitization of graph legend fields, which can lead to Cross-site Scripting (XSS). **Recommendations** For versions prior to 3.24.0, update to version 3.24.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** nested-object-assign versions prior to 1.0.4 **Description** The issue concerns Prototype Pollution via the default function. **Recommendations** For versions prior to 1.0.4, update to version 1.0.4 or later to resolve the issue.