Unity Linux 20.1060e / 20.1070e Security Update: maven-shared-utils (UTSA-2026-016689)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016689 advisory. In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection...

PT-2026-41315

Name of the Vulnerable Software and Affected Versions LibJWT versions 3.0.0 through 3.3.2 Description LibJWT accepts an RSA JSON Web Key JWK lacking an alg parameter as the verification key for HS256, HS384, or HS512 tokens. When using the OpenSSL backend, this results in HMAC verification...

Important: Red Hat Security Advisory: Red Hat AI Inference Server 3.3.3 (CUDA)

Red Hat AI Inference Server 3.3.3 CUDA is now available. Red Hat® AI Inference Server...

Important: Red Hat Security Advisory: Red Hat AI Inference Server 3.3.3 (ROCm)

Red Hat AI Inference Server 3.3.3 ROCm is now available. Red Hat® AI Inference Server...

Important: Red Hat Security Advisory: Red Hat AI Inference Server Model Optimization Tools 3.3.3 (CUDA)

Red Hat AI Inference Server Model Optimization Tools 3.3.3 CUDA is now available. Red Hat® AI Inference Server Model Optimization Tools...

CVE-2026-1669 affecting package keras for versions less than 3.3.3-7

CVE-2026-1669 affecting package keras for versions less than 3.3.3-7. A patched version of the package is available...

CVE-2026-41238

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype...

Security Bulletin: Carbon chart DOMPurify XSS Vulnerabilities (CVE-2025-15599, CVE-2026-0540)

Summary Two cross-site scripting XSS vulnerabilities CVE-2025-15599 and CVE-2026-0540 were identified in the DOMPurify library versions 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8. These vulnerabilities allow attackers to bypass attribute sanitization by exploiting missing rawtext element...

Linux Distros Unpatched Vulnerability : CVE-2026-41238

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS...

GHSA-39Q2-94RC-95CP DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation

Summary In src/purify.ts:1117-1123, ADDTAGS as a function via EXTRAELEMENTHANDLING.tagCheck bypasses FORBIDTAGS due to short-circuit evaluation. The condition: !tagChecktagName && !ALLOWEDTAGStagName || FORBIDTAGStagName When tagChecktagName returns true, the entire condition is false and the...

CLEANSTART-2026-SY28275 Security fixes for CVE-2025-0913, CVE-2025-4673, CVE-2025-47907, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-p77j-4mvh-x3m3 applied in versions: 3.3.2-r0, 3.3.3-r3, 3.3.3-r4, 3.4.2-r0

Multiple security vulnerabilities affect the kyverno-policy-reporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

CVE-2024-50452

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Stored XSS.This issue affects Nexter Blocks: from n/a through = 3.3.3...

CVE-2024-50452 WordPress Nexter Blocks plugin <= 3.3.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Stored XSS.This issue affects Nexter Blocks: from n/a through = 3.3.3...

PT-2026-21027

Name of the Vulnerable Software and Affected Versions POSIMYTH Nexter Blocks the-plus-addons-for-block-editor versions through 3.3.3 Description The software contains a flaw related to improper input handling during web page creation, which allows for Stored Cross-site Scripting XSS. This means...

OPENSUSE-SU-2026:10187-1 haproxy-3.3.3+git0.465d8e2fc-1.1 on GA media

These are all security issues fixed in the haproxy-3.3.3+git0.465d8e2fc-1.1 package on the GA media of openSUSE Tumbleweed...

Unity Linux 20.1050a / 20.1060a / 20.1070a Security Update: pcs (UTSA-2026-005312)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005312 advisory. REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The...

WordPress Ultimate Blocks plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Multiple Widgets vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Ultimate Blocks versions = 3.3.3...

scrcpy 缓冲区错误漏洞

scrcpy is an open source Android device control software by Genymobile. A buffer error vulnerability exists in scrcpy versions 3.3.3 and earlier and 3e40b24 and earlier, which stems from a global buffer overflow in the scread32be function, which could lead to memory corruption or a crash...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.2 - Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action vulnerability

Authenticated Contributor+ Privilege Escalation via ehcrmeditagent AJAX Action vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.2...

CVE-2025-64515

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...