Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses follow-redirects-1.15.11.tgz which is vulnerable to CVE-2026-40895

Summary IBM Maximo Application Suite - Visual Inspection component uses follow-redirects-1.15.11.tgz which is vulnerable to CVE-2026-40895, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects ...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses brace-expansion-1.1.12.tgz, brace-expansion-5.0.4.tgz which is vulnerable to CVE-2026-33750

Summary IBM Maximo Application Suite - Visual Inspection component uses brace-expansion-1.1.12.tgz, brace-expansion-5.0.4.tgz which is vulnerable to CVE-2026-33750, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-33750...

Security Bulletin: There is a vulnerability in kafka-clients-3.9.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-35554)

Summary There is a vulnerability in kafka-clients-3.9.1.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be...

Security Bulletin: There is a vulnerability in vertx-core-4.5.24.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-6860)

Summary There is a vulnerability in vertx-core-4.5.24.jar used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-6860 DESCRIPTION: A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepte...

Atlassian Confluence 9.1.0 < 9.2.20 / 9.3.1 < 10.2.11 (CONFSERVER-103709)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-103709 advisory. - This BASM Broken Authentication & Session Management vulnerability allows an unauthenticated attacker to perform actions as another user which ha...

CVE-2026-42845

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...

CVE-2026-42842

The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0, a Stored Cross-Site Scripting XSS vulnerability exists in the Grav CMS Form plugin's select field template. Taxonomy tag and category values are rendered with the Twig |raw filter in the admin panel, bypassing the...

CVE-2026-42845

CVE-2026-42845 describes an unauthenticated page-content overwrite in Grav’s Form plugin prior to version 9.1.0. An attacker could upload a form file with a crafted filename (e.g., form.md) and, due to the destination handling, overwrite the target page’s Markdown content, potentially enabling pr...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses github.com/jackc/pgproto3/v2-v2.3.3 which is vulnerable to CVE-2026-4427

Summary IBM Maximo Application Suite - Visual Inspection component uses github.com/jackc/pgproto3/v2-v2.3.3 which is vulnerable to CVE-2026-4427, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-4427 DESCRIPTION: Rejected...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses pyasn1 which is vulnerable to CVE-2026-30922

Summary IBM Maximo Application Suite - Visual Inspection component uses pyasn1 which is vulnerable to CVE-2026-30922, This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-30922 DESCRIPTION: pyasn1 is a generic ASN.1 library for...

Astra Linux - уязвимость в mariadb-10.3

Vulnerability in the MySQL Server product of Oracle MySQL component: InnoDB. Supported versions affected include 8.0.40 and earlier, 8.4.3 and earlier, and 9.1.0 and earlier. This easily exploitable vulnerability allows a high-privilege attacker with network access via multiple protocols to...

Information Disclosure in Confluence Data Center

This High severity Information Disclosure vulnerability was introduced in versions 9.1.0, 9.2.0, 9.3.1, 9.4.0, 9.5.1, 10.0.2, 10.1.0, and 10.2.0 of Confluence Data Center. This Information Disclosure vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

@13w/local-rag (>=1.6.0 <=1.7.2), @24letters/devservers (>=0.1.0 <=0.5.0) +588 more potentially affected by CVE-2026-6410 via @fastify/static (>=8.0.0 <=9.1.0)

@fastify/static NPM version =8.0.0, =1.6.0, =0.1.0, =0.1.0, =0.4.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0-beta.23, =0.0.1, =1.0.0, =2.0.0, =1.0.0, =1.0.44, =1.0.46 and more Source cves: CVE-2026-6410 Source advisory: SNYK:JS-FASTIFYSTATIC-16098211...

CVE-2026-6410

Affected product/component: @fastify/static, versions 8.0.0–9.1.0. Root cause: dirList.path() uses path.join() to resolve directories outside the configured static root without containment checks, enabling path traversal when directory listing is enabled via the list option. Impact: remote unauth...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2025-14876 affecting package qemu for versions less than 9.1.0-3

CVE-2025-14876 affecting package qemu for versions less than 9.1.0-3. A patched version of the package is available...

Fastify-Static 安全漏洞

Fastify-Static is an open-source plugin developed by Fastify. It is used to deliver static files as quickly as possible. Versions of Fastify-Static from 8.0.0 to 9.1.0 have security vulnerabilities; these vulnerabilities stem from path traversal when directory listings are enabled, which may lead...

CVE-2026-34400

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

CVE-2026-34400

CVE-2026-34400 affects Alerta (alerta-server) prior to version 9.1.0. The vulnerability is in the Query string search API (q=) where user-supplied search terms were interpolated into SQL strings via f-strings in the PostgreSQL query parser, enabling SQL injection in WHERE clauses. The issue has b...

BIT-PRESTASHOP-2026-33674 PrestaShop: Improper Use of Validation Framework

PrestaShop is an open source e-commerce web application. Versions prior to 8.2.5 and 9.1.0 improperly use the validation framework. Versions 8.2.5 and 9.1.0 contain a fix. No known workarounds are available...