Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007445)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007445 advisory. In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmcaddhost mmcaddhost may return error, if we ignore its...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007507)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007507 advisory. In the Linux kernel, the following vulnerability has been resolved: tcp: fix a signed-integer-overflow bug in tcpaddbacklog The type of skrcvbuf and sksndbuf in stru...

Unity Linux 20.1070a Security Update: pcs (UTSA-2026-007275)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007275 advisory. Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007599)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007599 advisory. In the Linux kernel, the following vulnerability has been resolved: mmc: atmel-mci: fix return value check of mmcaddhost mmcaddhost may return error, if we ignore it...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007525)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007525 advisory. In the Linux kernel, the following vulnerability has been resolved: mmc: wmt-sdmmc: fix return value check of mmcaddhost mmcaddhost may return error, if we ignore it...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007416)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007416 advisory. In the Linux kernel, the following vulnerability has been resolved: mmc: moxart: fix return value check of mmcaddhost mmcaddhost may return error, if we ignore its...

[SECURITY] Fedora 44 Update: ksshaskpass-6.6.4-1.fc44

A ssh-add helper that uses kwallet and kpassworddialog...

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl function in the webhook add-on. An attacker can access internal resources by supplying...

Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Impact The webhook add-on did not utilize existing SSRF protection. Patches https://github.com/WeblateOrg/weblate/pull/18815 Workarounds Disabling the add-on would avoid misusing this. References Thanks to @Lihfdgjr for reporting this via GitHub...

EUVD-2026-23018

Weblate: SSRF via the webhook add-on using unprotected fetchurl...

GHSA-F8HV-G549-HWG2 Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Impact The webhook add-on did not utilize existing SSRF protection. Patches https://github.com/WeblateOrg/weblate/pull/18815 Workarounds Disabling the add-on would avoid misusing this. References Thanks to @Lihfdgjr for reporting this via GitHub...

GHSA-MQPH-7H49-HQFM Weblate: JavaScript localization CDN add-on allows arbitrary local file read outside the repository

Impact The translation memory API exposed unintended endpoints, which in turn didn't do proper access control. Patches https://github.com/WeblateOrg/weblate/pull/18516 Workarounds The CDN add-on is not enabled by default. References Thanks to @spbavarva for reporting this responsibly via GitHub...

EUVD-2026-23186

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'productdata' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on t...

CVE-2026-3599 Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'productdata' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on t...

CVE-2026-3599

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'productdata' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on t...

CVE-2026-3599 Riaxe Product Customizer <= 2.1.2 - Unauthenticated SQL Injection via 'options' Parameter Keys in product_data

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'productdata' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on t...

ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...

GHSA-GMWR-9J4P-96VM ProcessWire: server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature

ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...

CRLF Injection

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to CRLF Injection via the DomainZones::add process. An attacker can inject arbitrary DNS records and BIND directives into zone files by submitting crafted DNS record types and content...

GHSA-47HF-23PW-3M8C Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()

Summary DomainZones::add accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted e.g., NAPTR, PTR, HINFO, content validation is entirely bypassed. Embedded...