SUSE CVE-2026-11789

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication...

EUVD-2026-36380

Improper state verification in the OAuth implementation could allow an attacker to manipulate the authentication flow and cause a victim’s account to be linked to an attacker-controlled account. This can result in unauthorized account linking and potential account takeover...

CVE-2026-48611

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...

CVE-2026-48611

CVE-2026-48611 describes improper authentication checks in an OAuth implementation that can allow account hijacking even when OAuth is not configured or enabled, leading to unauthorized access in default installations. The public records do not specify targeted products, versions, vendor names, o...

CVE-2026-48611

Improper authentication checks in the OAuth implementation allow account hijacking even when OAuth is not configured or enabled leading to unauthorized access in default installations...

CVE-2026-11933 Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

CVE-2026-11933

Technical details (affected products, versions, root cause, and remediation) are not publicly available in the provided documents. Please monitor for updates.

Post-authentication use-after-free in server-side JavaScript BSON-to-array conversion

A use-after-free vulnerability exists in MongoDB Server's server-side JavaScript engine when converting BSON documents to JavaScript arrays. An authenticated user with read privileges who is able to run server-side JavaScript for example, via $where or $function can cause the server to access...

PT-2026-48947

Name of the Vulnerable Software and Affected Versions SimpleHelp versions 5.5.15 and earlier SimpleHelp 6.0 pre-release versions Description An authentication bypass exists in the OIDC OpenID Connect authentication flow. When OIDC authentication is configured, identity tokens submitted during log...

PT-2026-48958

Name of the Vulnerable Software and Affected Versions Naxclow affected versions not specified Description The platform API that returns device relay registration details fails to verify if the requester is the legitimate device or owner, exposing a persistent credential. An actor capable of...

PT-2026-48906

The Aqara Cloud Developer Portal developer.aqara.com issued a developer token to any email address supplied by the attacker. This is an instance of "CWE-306: Missing Authentication for Critical Function" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 6.5 Medium. When...

PT-2026-48940

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15 fail to sanitize the Remote Cluster API response on PATCH operations, which allows authenticated users with the manage secure connections permission to obtain remote cluster authentication tokens via a PATCH request to the...

Linux Distros Unpatched Vulnerability : CVE-2026-9742

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When OIDC authentication is enabled in configuration, clients may set specific values in the mechanism parameter of the authenticate command that lead to server...

PT-2026-48855

The iRM-IEI Remote Management developed by IEI Integration Corp has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to exploit a specific functionality to obtain partial system configuration information...

PT-2026-49051

Allegra exportReport Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Allegra. Authentication is required to exploit this vulnerability. The specific flaw exists within the...

PT-2026-49007

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An authorization flaw exists in the object add/edit handling. An authenticated user with object editing permissions can assign a MISP object, or attributes within an object, to a sharing group...

PT-2026-49057

Name of the Vulnerable Software and Affected Versions Fleet affected versions not specified Description An issue in the Apple MDM commands listing endpoint allows authenticated users with the Observer role to extract sensitive data from joined database tables, such as host enrollment secrets and...

PT-2026-48963

Name of the Vulnerable Software and Affected Versions Actual Budget sync-server versions prior to 26.5.0 Description The POST /openid/config endpoint exposes the complete OpenID Connect configuration, which includes the OAuth2 client secret. This information is accessible to any user who possesse...

PT-2026-49043

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.7 Description An issue exists in the retry endpoint checks where hostname validation allows matching hostname prefixes instead of requiring exact hostnames. This allows attackers to craft a hostname prefix tha...

PT-2026-48931

Name of the Vulnerable Software and Affected Versions chisel affected versions not specified Description Authenticated clients can bypass Access Control List ACL restrictions defined via the --authfile parameter to tunnel traffic to arbitrary destinations reachable from the server. While the serv...