PT-2026-46006

Name of the Vulnerable Software and Affected Versions OP-TEE versions 3.16.0 through 4.10.x Description A use-after-free race condition exists in the shared memory teardown logic of FF-A within SPMC/SP flows. This occurs when OP-TEE is configured as an SPMC for S-EL0 SPs using CFG SECURE...

RHCOS 4 / 8 : OpenShift Container Platform 4.11.0 (RHSA-2022:5068)

The remote Red Hat Enterprise Linux CoreOS 4 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:5068 advisory. - golang.org/x/crypto: empty plaintext packet causes panic CVE-2021-43565 - golang: net/http: improper sanitization of...

Missing Authorization

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Missing Authorization via the actionPay process. An attacker can access sensitive customer order information, including email and address details, by submitting an order number and causing the email...

CVE-2026-32270

The CVE affects Craft Commerce (Craft CMS) where PaymentsController::actionPay leaks order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. In affected versions 4.0.0–4.10.2 and 5.0.0–5.5.4, the JSON error response includes the ...

CVE-2026-31867 Craft Commerce has a Potential IDOR in Commerce carts

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.11.0 and 5.6.0, An Insecure Direct Object Reference IDOR vulnerability exists in Craft Commerce’s cart functionality that allows users to hijack any shopping cart by knowing or guessing its 32-character number. The CartController...

CVE-2026-31867

Craft Commerce (Craft CMS) Before versions 4.11.0 and 5.6.0, an Insecure Direct Object Reference (IDOR) vulnerability exists in the cart loading/modification flow. The CartController accepts a user-supplied 32-character cart number and loads a cart without ownership validation, allowing an attack...

Craft Commerce 安全漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.11.0 and 5.6.0 of Craft Commerce contained security vulnerabilities. These vulnerabilities stemmed from a lack of ownership verification in the shopping cart functionality, which coul...

CVE-2026-27840

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

CVE-2026-27840

Technical details for CVE-2026-27840 are not provided in the supplied documents. Monitor for updates and vendor advisories for Zitadel versions and remediation.

CVE-2026-27840 ZITADEL's truncated opaque tokens are still valid

ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in the v2 format truncated to 80 characters are still considered valid. Zitadel uses a symmetric AES encryption for opaque tokens. The cleartext...

PT-2026-22066

Name of the Vulnerable Software and Affected Versions ZITADEL versions 2.31.0 through 3.4.6 ZITADEL versions 2.31.0 through 4.10.9 Description ZITADEL is an open source identity management platform. Starting in version 2.31.0 and prior to versions 3.4.7 and 4.11.0, opaque OIDC access tokens in th...

ZITADEL 安全漏洞

ZITADEL is a modern open-source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak, developed for the era of containers and serverless environments by ZITADEL in Switzerland. There were security vulnerabilities in versions of ZITADEL between 2.31.0 and 3.4.7, as well as in version...

CVE-2022-38724

Silverstripe silverstripe/framework through 4.11.0, silverstripe/assets through 1.11.0, and silverstripe/asset-admin through 1.11.0 allow XSS...

CVE-2025-67490

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in...

CVE-2025-67490

CVE-2025-67490 affects the Auth0 Next.js SDK (auth0/nextjs-auth0). Versions 4.11.0–4.11.2 and 4.12.0 may cause simultaneous requests on the same client to produce improper lookups in the TokenRequestCache. The issue is fixed in versions 4.11.2 and 4.12.1. If you rely on this SDK, upgrade to 4.11....

Improper Request Caching Lookup in the Auth0 Next.js SDK

Description When using affected versions of the Next.js SDK, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. Am I Affected? You are affected if you meet the following preconditions: - Applications using the auth0/nextjs-aut...

CVE-2025-62790

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fimfetchattributesstate implementation does not check whether timestring is NULL or not before calling strlen on it. A compromised agent can cause a crash of analysisd by sending a...

CVE-2025-62789

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fimalert implementation does not check whether the return value of ctimer is NULL or not before calling strdup on it. A compromised agent can cause a crash of analysisd by sending a...

CVE-2025-62788

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, wcopyeventforlog references memory initially allocated in OSCleanMSG after it has been freed. A compromised agent can potentially compromise the integrity of the application by sending a...

CVE-2025-62790

Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fimfetchattributesstate implementation does not check whether timestring is NULL or not before calling strlen on it. A compromised agent can cause a crash of analysisd by sending a...