CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

CVE-2026-41654 Weblate is Vulnerable to Authenticated SSRF via Project Backup Import bypassing validate_repo_url

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

CLSA-2026-1778130778 tomcat: Fix of 2 CVEs

CVE-2025-48988: limit number and header size of multipart parts - CVE-2025-52520: use Math.addExact and long postSize to prevent overflow bypass of maxPostSize during multipart upload...

EUVD-2026-28265

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

CVE-2026-41656

CVE-2026-41656 (Admidio) : Prior to 5.0.9, the add mode of modules/documents-files.php accepts a name parameter with only string-based HTML encoding validation, allowing path traversal (../) and, combined with absent CSRF protection and SameSite=Lax cookies, enables a low-privilege attacker to tr...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

CVE-2026-41656

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

SUSE CVE-2026-43086

In the Linux kernel, the following vulnerability has been resolved: ipvs: fix NULL deref in ipvsaddservice error path When ipvsbindscheduler succeeds in ipvsaddservice, the local variable sched is set to NULL. If ipvsstartestimator subsequently fails, the outerr cleanup calls...

PT-2026-38610

Name of the Vulnerable Software and Affected Versions FacturaScripts affected versions not specified Description A flaw in the Plugins::add function allows for a Zip Slip attack. The system does not properly validate file paths within uploaded ZIP archives in the Plugins.php file. Although the...

PT-2026-38449

A Remote Code Execution vulnerability was found in CODEASTRO Membership Management System v1.0 in /add members.php. This vulnerability affects the file upload functionality, where improper file sanitization allows attackers to inject malicious files which leads RCE...

CVE-2026-36387

CVE-2026-36387 affects CODEASTRO Membership Management System v1.0, specifically the /add_members.php file. The issue arises in the file upload functionality due to improper sanitization, allowing injection of malicious files that can lead to Remote Code Execution (RCE). The available documents c...

PT-2026-38440

Name of the Vulnerable Software and Affected Versions Sidekiq-cron versions prior to 2.3.2 Description Sidekiq-cron, an open-source scheduling add-on for Sidekiq, contains a cross-site scripting XSS flaw. This issue occurs when a crafted URL is rendered from the cron.erb file, allowing an attacke...

CLSA-2026-1778107205 Fix CVE(s): CVE-2026-23918

SECURITY UPDATE: double free / possible RCE in modhttp2 stream purge - debian/patches/CVE-2026-23918.patch: deduplicate inserts into the spurge array in modules/http2/h2mplx.c via a new addforpurge helper to prevent the same h2stream from being freed twice. - CVE-2026-23918...

EUVD-2026-27826

Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function...

CVE-2026-36358

Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function...

EUVD-2025-209672

In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in mostregisterinterface error paths The function mostregisterinterface did not correctly release resources if it failed early before registering the device. In these cases, it returned an error code...

CVE-2026-43167

In the Linux kernel, the following vulnerability has been resolved: xfrm: always flush state and policy upon NETDEVUNREGISTER event syzbot is reporting that "struct xfrmstate" refcount is leaking. unregisternetdevice: waiting for netdevsim0 to become free. Usage count = 2 reftracker:...

CVE-2025-71272

In the Linux kernel, the following vulnerability has been resolved: most: core: fix resource leak in mostregisterinterface error paths The function mostregisterinterface did not correctly release resources if it failed early before registering the device. In these cases, it returned an error code...

CVE-2026-43158 xfs: fix freemap adjustments when adding xattrs to leaf blocks

In the Linux kernel, the following vulnerability has been resolved: xfs: fix freemap adjustments when adding xattrs to leaf blocks xfs/592 and xfs/794 both trip this assertion in the leaf block freemap adjustment code after 20 minutes of running on my test VMs: ASSERTichdr-firstused = ichdr-count...