Updated tomcat packages fix security vulnerability

Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...

CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits

The U.S.Cybersecurity and Infrastructure Security Agency CISA on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities KEV catalog, requiring Federal Civilian Executive Branch FCEB agencies to remediate the issue by May 17...

MLflow: unauthenticated access to certain FastAPI routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

GHSA-75CM-X2W3-8MGF MLflow: unauthenticated access to certain FastAPI routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-2652

Summary (CVE-2026-2652) : In mlflow/mlflow

CVE-2026-45229

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the configdata dictionary. Attackers can exploit insufficient deny-list filtering to...

CVE-2026-31234

Horovod thru 0.28.1 contains an insecure deserialization vulnerability CWE-502 in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary data via HTTP PUT...

CVE-2026-31240

The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records PUT /memories/memoryid are exposed without any verification of the requester's identity or permissions. A remote attacker can exploit...

EUVD-2026-30494

Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information. Attackers can access the endpoint without providing authentication credentials to obtain...

PT-2026-41396

Impact An attacker who can MITM the TLS connection between the client and the IDP within the TI network can substitute a forged discovery document. The forged document redirects u ri puk idp enc and uri puk idp sig to attacker-controlled URLs. The client then encrypts the SMC-B-signed challenge...

PT-2026-41273

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email...

PT-2026-43462

Name of the Vulnerable Software and Affected Versions AVideo versions 29.0 and earlier Description A cross-site request forgery CSRF issue exists in the 2FA toggle functionality. The endpoint "plugin/LoginControl/set.json.php" accepts POST requests with the parameters type=set2FA and value=false ...

Trog::TOTP 安全特征问题漏洞

Trog::TOTP is a Perl module developed by TEODESIAN’s individual developers, which supports time-based one-time password generation and two-factor authentication. Versions of Trog::TOTP prior to 1.006 contained security vulnerabilities. These vulnerabilities stemmed from the use of the built-in Pe...

phpMyFAQ 安全漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained security vulnerabilities. These vulnerabilities stemmed from the lack of limits on the number of authentication attempts at the /admin/check endpoint, allowing...

libjwt 加密问题漏洞

LibJWT is a C-language library developed by Ben Collins, designed for generating and verifying JSON Web Tokens. Versions 3.0.0 to 3.3.2 of LibJWT contain vulnerabilities related to encryption. These vulnerabilities arise from accepting RSA JWKs without an alg parameter as the verification key for...

PT-2026-41260

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.10.0 Description An authentication bypass occurs when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authenticatio...