Astra Linux – Vulnerability in Apache2

Improper neutralization of vulnerabilities related to escape, meta, or control sequences in the Apache HTTP Server, caused by unexpected overrides of variables calculated by the server for CGI programs, through environment variables set via Apache configuration. This issue affects the Apache HTTP...

Astra Linux – Vulnerability in Linux

A issue was discovered in the Linux kernel through version 5.11.x. The kernel/bpf/verifier.c file contains unwanted out-of-bounds speculation during pointer arithmetic operations, which allows for side-channel attacks that circumvent Spectre mitigations and extract sensitive information from kern...

Improper Access Control

Caddy is vulnerable to Improper Access Control. The vulnerability is due to incorrect case-insensitive matching in the HTTP path request matcher when percent-encoded sequences are present, allowing attackers to alter request path casing and bypass path-based routing or attached access controls...

Exploit for Incorrect Resource Transfer Between Spheres in Linux Linux_Kernel

CVE-2026-31431 — "Copy Fail": Linux Kernel algifaead Local...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the exportstate function in the MCP Interface component. An attacker can overwrite or access arbitrary files by supplying crafted input to manipulate file paths remotely. Details A Directory Traversal attack also...

Directory Traversal

Overview sublinear-time-solver is a The Ultimate Mathematical & AI Toolkit: Sublinear algorithms, consciousness exploration, psycho-symbolic reasoning, chaos analysis, and temporal prediction in one unified MCP interface. WASM-accelerated with Lyapunov exponents and attractor dynamics. Affected...

Directory Traversal

Overview mcp-game-asset-gen is a MCP server for asset generation - image, video, audio, and 3D APIs for game development Affected versions of this package are vulnerable to Directory Traversal via the imageto3dasync function when processing the statusFile argument. An attacker can access or modif...

CVE-2026-37531

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability CWE-22 combined with a TOCTOU race condition CWE-367 in the widget installation flow. The isvalidfilename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by a remote code execution vulnerability (CVE-2025-14914)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses uses WebSphere Application Server Liberty was affected by a remote code execution vulnerabilityCVE-2025-14914. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by a remote code execution vulnerability and vulnerable to CVE-2025-14914.

Summary IBM Maximo Application Suite - Monitor Component uses WebSphere Application Server Liberty which is affected by a remote code execution vulnerability and vulnerable to CVE-2025-14914. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2025-149...

Exploit for Missing Authentication for Critical Function in Cpanel

cPanelSniper CVE-2026-41940 — c...

Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (April 2026 - Part 1 of 2)

Summary Multiple vulnerabilities have been addressed in Data Virtualization on IBM Software Hub. Note that Data Virtualization was named Watson Query on IBM Cloud Pak for Data version 4.8. Vulnerability Details CVEID:CVE-2026-23949 DESCRIPTION: jaraco.context, an open-source software package that...

📄 cPanel / WHM Authentication Bypass / CRLF Injection

A critical authentication bypass vulnerability exists in the cPanel/WHM cpsrvd daemon due to improper neutralization of line delimiters CRLF in the whostmgrsession cookie and Authorization headers. An unauthenticated remote attacker can leverage this flaw to inject malicious session parameters...

CVE-2026-37531

CVE-2026-37531 affects AG L app-framework-main up to 17.1.12. A Zip Slip path traversal (CWE-22) combined with a TOCTOU race (CWE-367) exists in the widget installation flow. The is_valid_filename function fails to block dot-notation directory traversal; zread uses openat(workdirfd, filename, O_C...

CVE-2026-37531

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability CWE-22 combined with a TOCTOU race condition CWE-367 in the widget installation flow. The isvalidfilename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal...

EUVD-2026-26685

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability CWE-22 combined with a TOCTOU race condition CWE-367 in the widget installation flow. The isvalidfilename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal...

CVE-2026-37531

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability CWE-22 combined with a TOCTOU race condition CWE-367 in the widget installation flow. The isvalidfilename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal...

CVE-2026-37531

AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability CWE-22 combined with a TOCTOU race condition CWE-367 in the widget installation flow. The isvalidfilename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal...

PT-2026-36506

Name of the Vulnerable Software and Affected Versions AGL app-framework-main versions 17.1.12 and earlier Description A Zip Slip path traversal issue combined with a Time-of-Check to Time-of-Use TOCTOU race condition exists in the widget installation flow. The is valid filename function in...

CVE-2026-3345

IBM Langflow Desktop =1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to view arbitrary files on the system...