PT-2026-38883

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0....

PT-2026-38864

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Security. Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracl...

PT-2026-38817

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Concurrency. Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability...

PT-2026-39300

Name of the Vulnerable Software and Affected Versions Snipe-IT versions prior to 8.4.1 Description An authenticated user possessing only the users.edit permission can escalate their privileges to administrator. This occurs by sending a PATCH request to the '/api/v1/users/id' endpoint with the...

PT-2026-38663

Name of the Vulnerable Software and Affected Versions solidtime version 0.12.0 Description An issue exists where the 'PUT /api/v1/organizations/organization/time-entries/timeEntry' API accepts a route-bound timeEntry from a different organization. This occurs when the caller possesses the...

CVE-2025-67888

An issue was discovered in Control Web Panel CWP before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php when the "api" parameter is set is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject an...

Exploit for Improper Certificate Validation in Bluestacks

CVE-2025-44964 — BlueStacks v5.20 Improper SSL Certificate Val...

CVE-2026-8115 gyoridavid short-video-maker REST API rest.ts path traversal

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

CVE-2026-8115

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

Server-side Request Forgery (SSRF)

Overview utcp-http is an UTCP communication protocol plugin for HTTP, SSE, and streamable HTTP, plus an OpenAPI converter. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the calltool and calltoolstreaming functions when attacker-controlled URLs from OpenA...

UBUNTU-CVE-2026-40214

In OpenStack Cyborg before 16.0.1, the Accelerator Request ARQ API does not enforce project ownership at any layer. The projectid column in the database is never populated NULL for every ARQ, database queries have no project filtering, and policy checks are self-referential the authorizewsgi...

OSGeo GDAL vulnerable to heap-based buffer overflow

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The...

GHSA-8MC6-XJPR-H98X Ech0 has Server-Side Request Forgery (SSRF) via Connect Handler fetchPeerConnectInfo

Summary The fetchPeerConnectInfo function in internal/service/connect/connect.go:214-239 uses httpUtil.SendRequest no SSRF protection instead of SendSafeRequest which has ValidatePublicHTTPURL with private IP blocking. This allows authenticated users to make the server request arbitrary URLs...

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

CVE-2026-7541 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via unauthenticated API endpoint

A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to cause service disruption by sending crafted requests with deeply nested JSON payloads to an unauthenticated API endpoint. The endpoint parsed user-controlled JSON request bodie...

GHSA-RJ4G-RQGH-RX9H Ech0 comment model's Email field returned on public /api/comments endpoints

Summary The Comment model serializes its Email field through the public comment-listing API. internal/model/comment/comment.go:33 uses json:"email", while adjacent PII fields IPHash, UserAgent correctly use json:"-". The public endpoints GET /api/comments?echoid=X and GET...

Exposure of Private Personal Information to an Unauthorized Actor

Overview Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the Email field in the Comment model exposed through unauthenticated public API endpoints. An attacker can obtain the email addresses of all guest commenters by makin...

CVE-2026-44116

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...

UBUNTU-CVE-2026-8087

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The...

CVE-2026-8087

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldName results in heap-based buffer overflow. The attack must be initiated from a local position. The...