DEBIAN-CVE-2026-11793

A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can...

CVE-2025-66273

creationtimestamp| type| source ---|---|--- 2026-06-10 05:23:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnvxscvkvr26...

CVE-2026-44170

creationtimestamp| type| source ---|---|--- 2026-06-10 04:57:15+00:00| seen| https://bsky.app/profile/securitylab-jp.bsky.social/post/3mnvwdsrfzk2z...

CVE-2025-66280 QTS, QuTS hero

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the...

CVE-2026-36809

Shenzhen Tenda Technology Co., Ltd Tenda W15E v15.11.0.10 was discovered to contain a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

CVE-2026-47838

creationtimestamp| type| source ---|---|--- 2026-06-10 01:47:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnvlpsknco2h...

CVE-2026-53673

creationtimestamp| type| source ---|---|--- 2026-06-10 01:00:29+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnvj4j6dmr2v 2026-06-10 01:37:01+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnvl5ug2g62m...

CVE-2026-47942

creationtimestamp| type| source ---|---|--- 2026-06-10 00:30:56+00:00| seen| https://bsky.app/profile/experiencedigest.bsky.social/post/3mnvhhpj5gj2u...

CVE-2026-53673 BuddyPress 14.4.0 Private Message IDOR via REST API user_id Parameter

BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a userid parameter in the request. Attackers can pass another user's identifier to the...

CVE-2026-9742

When OIDC authentication is enabled in configuration, clients may set specific values in the "mechanism" parameter of the "authenticate" command that lead to server crash. The authenticate command is accessible to unauthenticated clients, leading to pre-auth denial-of-service in affected product...

CVE-2026-48292

creationtimestamp| type| source ---|---|--- 2026-06-09 22:00:58+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnv73jjyya27...

GHSA-MRHX-6PW9-Q5FH PhoenixStorybook has cross-session PubSub topic injection via URL parameter

Summary The storybook iframe LiveView accepts a PubSub topic from the URL query string and broadcasts its own pid onto that topic with no check that the topic belongs to the current session. Any unauthenticated visitor who knows or guesses another user's playground topic can hijack the...

CVE-2026-9742

The CVE-2026-9742 entry describes a vulnerability in MongoDB where, when OIDC authentication is enabled, a crafted value in the mechanism parameter of the authenticate command can crash the server. The authenticate command is reachable by unauthenticated clients, enabling pre-auth denial-of-servi...

CVE-2026-34417 OSCAL-GUI Reflected XSS via project parameter in oscal-forms.php

OSCAL-GUI contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious content through the project request parameter in oscal-forms.php. The parameter value is URL-decoded and assigned to...

CVE-2026-11585

A vulnerability was determined in CodeAstro Student Attendance Management System 1.0. Affected is an unknown function of the file /attendance-php/Admin/createClassArms.php. This manipulation of the argument classId causes sql injection. The attack can be initiated remotely. The exploit has been...

CVE-2026-11559

A vulnerability was detected in CodeAstro Payroll System 1.0. This affects an unknown function of the file /viewaccount.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used...

CVE-2026-42862

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the tool update endpoint of FlowiseAI. The endpoint allows authenticated users to modify server-controlled properties such as workspaceId,...

Net::IMAP: Command Injection via ID command argument

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

GHSA-46Q3-7GV7-QMGG Net::IMAP: Command Injection via ID command argument

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

MINI-MWMR-7JXC-VRW8

Bulletin has no description...