GHSA-5X9H-93GP-CHPJ Apache Wicket has a Cross-site Scripting issue

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

CVE-2026-40010

Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version...

CVE-2026-43646

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue...

Apache Wicket 信息泄露漏洞

Apache Wicket is an open-source, lightweight, component-based framework developed by the Apache Foundation in the United States. It provides an object-oriented approach for developing web-based dynamic UI applications. Versions of Apache Wicket from 8.0.0 to 8.17.0, from 9.0.0 to 9.22.0, and from...

PT-2026-37383

Name of the Vulnerable Software and Affected Versions Apache Wicket versions 8.0.0 through 8.17.0 Apache Wicket version 9.0.0 Apache Wicket versions 10.0.0 through 10.8.0 Description Improper neutralization of input during web page generation allows for Cross-site Scripting XSS, a flaw where an...

Slackware Linux 15.0 / current curl Multiple Vulnerabilities (SSA:2026-007-01)

The version of curl installed on the remote host is prior to 8.17.0 / 8.18.0. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2026-007-01 advisory. New curl packages are available for Slackware 15.0 and -current to fix security issues. Tenable has extracted the...

CVE-2025-68129

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if the...

CVE-2025-68129 Auth0-PHP SDK has Improper Audience Validation

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens. Projects are affected if the...

Auth0-PHP 安全漏洞

Auth0-PHP is an Auth0 open source PHP SDK for Auth0 authentication and management APIs. A security vulnerability exists in Auth0-PHP versions 8.0.0 through 8.17.0 that stems from improper audience validation in access tokens, which could result in accepting ID tokens as access tokens...

curl-8.17.0-1.1 on GA media (moderate)

curl-8.17.0-1.1 on GA media Announcement ID: openSUSE-SU-2025:15757-1 Rating: moderate Cross-References: CVE-2025-10966 CVE-2025-11563 CVSS scores: CVE-2025-10966 SUSE : 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-10966 SUSE : 7.6...

OPENSUSE-SU-2025:15757-1 curl-8.17.0-1.1 on GA media

These are all security issues fixed in the curl-8.17.0-1.1 package on the GA media of openSUSE Tumbleweed...

curl: Double-free vulnerability in libcurl with rustls via NoServerCertVerifier condition leads to application crash

Summary: There is a double-free in libcurl with rustls. The root cause is reported and it is fixed in https://github.com/curl/curl/pull/19425, while I did not try to evaluate the actual triggering at that time. No AI was used to find the issue or generate the report. Affected version It was...

curl: curl built with GnuTLS backend defaults to weak crypto parameters

Summary: Curl configured with GnuTLS backend --with-gnutls defaults using "NORMAL" as the base level of the library cryptographic security. From GnuTLS documentation: The message authenticity security level is of 64 bits or more, and the certificate verification profile is set to GNUTLSPROFILELOW...

CVE-2025-58769

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths o...

auth0-PHP SDK Does Not Properly Handle File Types in Bulk User Import

Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the...

CVE-2025-58769

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths o...

CVE-2025-58769 auth0-PHP: Improper File Type Handling in Bulk User Import

auth0-PHP is an SDK for Auth0 Authentication and Management APIs. In versions 3.3.0 through 8.16.0, the Bulk User Import endpoint in applications built with the SDK does not validate the file-path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths o...

PT-2025-40296

Name of the Vulnerable Software and Affected Versions auth0-PHP versions 3.3.0 through 8.16.0 Description The Bulk User Import endpoint does not validate file path wrappers or values, potentially allowing acceptance of arbitrary file paths or URLs. This affects applications directly using the...

PT-2025-47036

Name of the Vulnerable Software and Affected Versions curl versions prior to 8.17.0 Description The software is susceptible to a path traversal issue when handling URLs with percent-encoded slashes. This could allow an attacker to access files outside the intended directory. Recommendations Updat...

Elasticsearch 8.16.2 / 8.17.0 Security Update

Elasticsearch Incorrect Authorization ESA-2024-46 An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow...