Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service

Summary IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution CVE-2026-23950, CVE-2026-31802, CVE-2026-26960, CVE-2026-24842, CVE-2026-33228, CVE-2026-29786, CVE-2026-23745, CVE-2026-40175, GHSA-v8w9-8mx6-g223, CVE-2026-34601, CVE-2026-295...

Security Bulletin: Platform Navigator in IBM Cloud Pak for Integration is vulnerable to multiple vulnerabilities in undici

Summary Platform Navigator in IBM Cloud Pak for Integration is vulnerable to multiple vulnerabilities in undici CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2581. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-1525 DESCRIPTION:...

Directory Traversal

Overview org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing an...

Directory Traversal

Overview org.apache.wicket:wicket-core is a Java web application framework that takes simplicity, separation of concerns and ease of development to a whole new level. Wicket pages can be mocked up, previewed and later revised using standard WYSIWYG HTML design tools. Dynamic content processing an...

CVE-2026-6344

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

Denial Of Service

Marked is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of specific input sequences during parsing, where a crafted sequence \x09\x0b\n triggers infinite recursion, leading to unbounded memory allocation and application crash due to out-of-memory conditions...

Security Bulletin: IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2026-40175.

Summary IBM Edge Data Collector uses axios-1.13.6.tgz which is vulnerable to CVE-2026-40175. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-40175 DESCRIPTION: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 a...

CVE-2026-6344

CVE-2026-6344 affects the WordPress Fluent Forms plugin (versions ≤ 6.2.1). The vulnerability arises in EmailNotificationActions::getAttachments() where attacker-supplied file-upload URLs are resolved to filesystem paths without strictly enforcing the uploads directory boundary. Path traversal se...

CVE-2026-6344 Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

EUVD-2026-27536

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

CVE-2026-6344

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

CVE-2026-6344 Fluent Forms <= 6.2.1 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal in Email Attachment

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...

PT-2026-38088

Name of the Vulnerable Software and Affected Versions Mistune versions 3.0.0a1 through 3.2.0 Description A Regular Expression Denial of Service ReDoS exists in the LINK TITLE RE regular expression. An attacker can provide specially crafted Markdown for parsing that triggers catastrophic...

PT-2026-37592

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists in the Multipath TCP MPTCP path manager where the kernel fails to consistently set the ID as available when removing an endpoint. This can be triggered by specific...

Directory Traversal

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the EnvironmentController, ResourceController, and EncryptionController reque...

PT-2026-38316

Name of the Vulnerable Software and Affected Versions Angular SSR versions 19.0.0-next.0 through 19.2.24 Angular SSR versions 20.x through 20.3.24 Angular SSR versions 21.x through 21.2.8 Angular SSR versions 22.0.0-next.0 through 22.0.0-next.6 Description An issue exists in the processing logic ...

PT-2026-38253

Name of the Vulnerable Software and Affected Versions Nitro versions prior to 2.13.4 Nitro versions prior to 3.0.260429-beta Description An attacker can bypass proxy route rules by sending percent-encoded path traversal sequences ..%2f in the URL. This occurs when Nitro treats these characters as...

Directory Traversal

Overview org.springframework.cloud:spring-cloud-config-server is a library that provides an HTTP resource-based API for external configuration. Affected versions of this package are vulnerable to Directory Traversal via the retrieve and binary methods in ResourceController. An attacker can read...

PT-2026-38271

Name of the Vulnerable Software and Affected Versions Flight versions prior to 3.18.1 Description The make:controller CLI command allows arbitrary directory creation outside the project root. This occurs because the command calls mkdir..., recursive: true on a path constructed from a user-supplie...

PT-2026-37349

The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without...